diff --git a/modules/Microsoft.EventHub/namespaces/.test/parameters.json b/modules/Microsoft.EventHub/namespaces/.test/parameters.json index 38aff7a42e..e997fb3c7f 100644 --- a/modules/Microsoft.EventHub/namespaces/.test/parameters.json +++ b/modules/Microsoft.EventHub/namespaces/.test/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-evnsp-x-001" + "value": "<>-az-evhns-x-001" }, "lock": { "value": "CanNotDelete" @@ -94,7 +94,12 @@ "value": [ { "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "namespace" + "service": "namespace", + "privateDnsZoneGroups": { + "privateDNSResourceIds": [ + "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net" + ] + } } ] }, @@ -127,9 +132,7 @@ ], "virtualNetworkRules": [ { - "subnet": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001" - }, + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001", "ignoreMissingVnetServiceEndpoint": true } ], diff --git a/modules/Microsoft.EventHub/namespaces/.test/pe.parameters.json b/modules/Microsoft.EventHub/namespaces/.test/pe.parameters.json new file mode 100644 index 0000000000..27acd28265 --- /dev/null +++ b/modules/Microsoft.EventHub/namespaces/.test/pe.parameters.json @@ -0,0 +1,22 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-evhns-pe-001" + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "namespace", + "privateDnsZoneGroups": { + "privateDNSResourceIds": [ + "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net" + ] + } + } + ] + } + } +} diff --git a/modules/Microsoft.EventHub/namespaces/deploy.bicep b/modules/Microsoft.EventHub/namespaces/deploy.bicep index 6f229e4e05..4316710636 100644 --- a/modules/Microsoft.EventHub/namespaces/deploy.bicep +++ b/modules/Microsoft.EventHub/namespaces/deploy.bicep @@ -43,7 +43,7 @@ param authorizationRules array = [ @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] -@description('Optional. Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') +@description('Optional. Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') param networkRuleSets object = {} @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @@ -188,26 +188,24 @@ resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' = { } } -resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${eventHubNamespace.name}-${lock}-lock' - properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' +module eventHubNamespace_authorizationRules 'authorizationRules/deploy.bicep' = [for (authorizationRule, index) in authorizationRules: { + name: '${uniqueString(deployment().name, location)}-EvhbNamespace-AuthRule-${index}' + params: { + namespaceName: eventHubNamespace.name + name: authorizationRule.name + rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] + enableDefaultTelemetry: enableReferencedModulesTelemetry } - scope: eventHubNamespace -} +}] -resource eventHubNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: diagnosticSettingsName - properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs +module eventHubNamespace_disasterRecoveryConfig 'disasterRecoveryConfigs/deploy.bicep' = if (!empty(disasterRecoveryConfig)) { + name: '${uniqueString(deployment().name, location)}-EvhbNamespace-DisRecConfig' + params: { + namespaceName: eventHubNamespace.name + name: disasterRecoveryConfig.name + partnerNamespaceId: contains(disasterRecoveryConfig, 'partnerNamespaceId') ? disasterRecoveryConfig.partnerNamespaceId : '' + enableDefaultTelemetry: enableReferencedModulesTelemetry } - scope: eventHubNamespace } module eventHubNamespace_eventHubs 'eventhubs/deploy.bicep' = [for (eventHub, index) in eventHubs: { @@ -244,31 +242,11 @@ module eventHubNamespace_eventHubs 'eventhubs/deploy.bicep' = [for (eventHub, in } }] -module eventHubNamespace_diasterRecoveryConfig 'disasterRecoveryConfigs/deploy.bicep' = if (!empty(disasterRecoveryConfig)) { - name: '${uniqueString(deployment().name, location)}-EvhbNamespace-DisRecConfig' - params: { - namespaceName: eventHubNamespace.name - name: disasterRecoveryConfig.name - partnerNamespaceId: contains(disasterRecoveryConfig, 'partnerNamespaceId') ? disasterRecoveryConfig.partnerNamespaceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -} - -module eventHubNamespace_authorizationRules 'authorizationRules/deploy.bicep' = [for (authorizationRule, index) in authorizationRules: { - name: '${uniqueString(deployment().name, location)}-EvhbNamespace-AuthRule-${index}' - params: { - namespaceName: eventHubNamespace.name - name: authorizationRule.name - rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!empty(networkRuleSets)) { +module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!empty(networkRuleSets) || !empty(privateEndpoints)) { name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet' params: { namespaceName: eventHubNamespace.name - publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : 'Enabled' + publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) && empty(networkRuleSets) ? 'Disabled' : 'Enabled') defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] @@ -308,6 +286,28 @@ module eventHubNamespace_roleAssignments '.bicep/nested_roleAssignments.bicep' = } }] +resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { + name: '${eventHubNamespace.name}-${lock}-lock' + properties: { + level: any(lock) + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: eventHubNamespace +} + +resource eventHubNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { + name: diagnosticSettingsName + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null + eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null + eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: eventHubNamespace +} + @description('The name of the eventspace.') output name string = eventHubNamespace.name diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep index 6c73af97bc..e8907f3d96 100644 --- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep +++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep @@ -5,32 +5,39 @@ param namespaceName string 'Enabled' 'Disabled' ]) -@description('Optional. This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only.') +@description('Optional. This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied.') param publicNetworkAccess string = 'Enabled' @allowed([ 'Allow' 'Deny' ]) -@description('Optional. Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules/virtualNetworkRules or are being used. If ipRules/virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled", setting this to "Deny" would render the namespace resources inaccessible for data-plane requests.') +@description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') param defaultAction string = 'Allow' -@description('Optional. List of IpRules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".') -param ipRules array = [] - @allowed([ true false ]) -@description('Optional. Value that indicates whether Trusted Service Access is Enabled or not. Default is "true".') +@description('Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled".') param trustedServiceAccessEnabled bool = true -@description('Optional. List VirtualNetwork Rules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".') +@description('Optional. List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') param virtualNetworkRules array = [] +@description('Optional. List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') +param ipRules array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +var networkRules = [for (virtualNetworkRule, index) in virtualNetworkRules: { + ignoreMissingVnetServiceEndpoint: contains(virtualNetworkRule, 'ignoreMissingVnetServiceEndpoint') ? virtualNetworkRule.ignoreMissingVnetServiceEndpoint : null + subnet: contains(virtualNetworkRule, 'subnetResourceId') ? { + id: virtualNetworkRule.subnetResourceId + } : null +}] + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -51,11 +58,11 @@ resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2021-11-0 name: 'default' parent: namespace properties: { - publicNetworkAccess: !empty(ipRules) || !empty(virtualNetworkRules) ? null : publicNetworkAccess - defaultAction: !empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction - trustedServiceAccessEnabled: trustedServiceAccessEnabled + publicNetworkAccess: publicNetworkAccess + defaultAction: publicNetworkAccess == 'Disabled' ? null : (!empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction) + trustedServiceAccessEnabled: publicNetworkAccess == 'Disabled' ? null : trustedServiceAccessEnabled ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules - virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : virtualNetworkRules + virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : networkRules } } diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md b/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md index 546121dd41..aa92c1dcc4 100644 --- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md +++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/readme.md @@ -24,12 +24,12 @@ This module deploys EventHub Namespaces NetworkRuleSets. **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules/virtualNetworkRules or are being used. If ipRules/virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled", setting this to "Deny" would render the namespace resources inaccessible for data-plane requests. | +| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `ipRules` | array | `[]` | | List of IpRules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled". | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only. | -| `trustedServiceAccessEnabled` | bool | `True` | `[False, True]` | Value that indicates whether Trusted Service Access is Enabled or not. Default is "true". | -| `virtualNetworkRules` | array | `[]` | | List VirtualNetwork Rules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled". | +| `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | +| `trustedServiceAccessEnabled` | bool | `True` | `[False, True]` | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | +| `virtualNetworkRules` | array | `[]` | | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | ### Parameter Usage: `` diff --git a/modules/Microsoft.EventHub/namespaces/networkRuleSets/version.json b/modules/Microsoft.EventHub/namespaces/networkRuleSets/version.json index 56f8d9ca40..badc0a2285 100644 --- a/modules/Microsoft.EventHub/namespaces/networkRuleSets/version.json +++ b/modules/Microsoft.EventHub/namespaces/networkRuleSets/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/modules/Microsoft.EventHub/namespaces/readme.md b/modules/Microsoft.EventHub/namespaces/readme.md index 72660b1c81..c6d224215b 100644 --- a/modules/Microsoft.EventHub/namespaces/readme.md +++ b/modules/Microsoft.EventHub/namespaces/readme.md @@ -48,7 +48,7 @@ This module deploys an event hub namespace. | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | | `maximumThroughputUnits` | int | `1` | | Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | | `name` | string | `''` | | The name of the event hub namespace. If no name is provided, then unique name will be created. | -| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | +| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Configure networking options. This object contains IPs/Subnets to allow or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `skuCapacity` | int | `1` | | Event Hub plan scale-out capacity of the resource. | @@ -402,7 +402,7 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { } ] lock: 'CanNotDelete' - name: '<>-az-evnsp-x-001' + name: '<>-az-evhns-x-001' networkRuleSets: { defaultAction: 'Deny' ipRules: [ @@ -415,14 +415,17 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { virtualNetworkRules: [ { ignoreMissingVnetServiceEndpoint: true - subnet: { - id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001' - } + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001' } ] } privateEndpoints: [ { + privateDnsZoneGroups: { + privateDNSResourceIds: [ + '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net' + ] + } service: 'namespace' subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' } @@ -546,7 +549,7 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { "value": "CanNotDelete" }, "name": { - "value": "<>-az-evnsp-x-001" + "value": "<>-az-evhns-x-001" }, "networkRuleSets": { "value": { @@ -561,9 +564,7 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { "virtualNetworkRules": [ { "ignoreMissingVnetServiceEndpoint": true, - "subnet": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001" - } + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001" } ] } @@ -571,6 +572,11 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { "privateEndpoints": { "value": [ { + "privateDnsZoneGroups": { + "privateDNSResourceIds": [ + "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net" + ] + }, "service": "namespace", "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" } @@ -600,3 +606,64 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = {

+ +

Example 3: Pe

+ +
+ +via Bicep module + +```bicep +module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-namespaces' + params: { + name: '<>-az-evhns-pe-001' + privateEndpoints: [ + { + privateDnsZoneGroups: { + privateDNSResourceIds: [ + '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net' + ] + } + service: 'namespace' + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-evhns-pe-001" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneGroups": { + "privateDNSResourceIds": [ + "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net" + ] + }, + "service": "namespace", + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" + } + ] + } + } +} +``` + +
+

diff --git a/modules/Microsoft.EventHub/namespaces/version.json b/modules/Microsoft.EventHub/namespaces/version.json index 56f8d9ca40..badc0a2285 100644 --- a/modules/Microsoft.EventHub/namespaces/version.json +++ b/modules/Microsoft.EventHub/namespaces/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json b/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json index d5d6535958..20f9d06cfe 100644 --- a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json +++ b/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json @@ -37,7 +37,7 @@ "virtualNetworkRules": [ { "ignoreMissingVnetServiceEndpoint": true, - "subnet": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-003" + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-003" } ], "ipRules": [ diff --git a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep index 111879176f..1a171abd91 100644 --- a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -240,11 +240,11 @@ module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (! name: '${uniqueString(deployment().name, location)}-NetworkRuleSet' params: { namespaceName: serviceBusNamespace.name - defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : (!empty(privateEndpoints) ? 'Deny' : null) publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) && empty(networkRuleSets) ? 'Disabled' : 'Enabled') + defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true - virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : [] ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] + virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : [] enableDefaultTelemetry: enableReferencedModulesTelemetry } } diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index 08f6730b95..6be7153cdf 100644 --- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -7,27 +7,27 @@ param namespaceName string 'Enabled' 'Disabled' ]) -@description('Optional. This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only.') +@description('Optional. This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied.') param publicNetworkAccess string = 'Enabled' @allowed([ 'Allow' 'Deny' ]) -@description('Optional. Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules or virtualNetworkRules are being used.') +@description('Optional. Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used.') param defaultAction string = 'Allow' @allowed([ true false ]) -@description('Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is "true".') +@description('Optional. Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled".') param trustedServiceAccessEnabled bool = true -@description('Optional. List virtual network rules. When used, defaultAction will be set to "Deny".') +@description('Optional. List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') param virtualNetworkRules array = [] -@description('Optional. List of IpRules. When used, defaultAction will be set to "Deny".') +@description('Optional. List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny".') param ipRules array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') @@ -35,8 +35,8 @@ param enableDefaultTelemetry bool = true var networkRules = [for (virtualNetworkRule, index) in virtualNetworkRules: { ignoreMissingVnetServiceEndpoint: contains(virtualNetworkRule, 'ignoreMissingVnetServiceEndpoint') ? virtualNetworkRule.ignoreMissingVnetServiceEndpoint : null - subnet: contains(virtualNetworkRule, 'subnet') ? { - id: virtualNetworkRule.subnet + subnet: contains(virtualNetworkRule, 'subnetResourceId') ? { + id: virtualNetworkRule.subnetResourceId } : null }] @@ -61,8 +61,8 @@ resource networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11 parent: namespace properties: { publicNetworkAccess: publicNetworkAccess - defaultAction: !empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction - trustedServiceAccessEnabled: trustedServiceAccessEnabled + defaultAction: publicNetworkAccess == 'Disabled' ? null : (!empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction) + trustedServiceAccessEnabled: publicNetworkAccess == 'Disabled' ? null : trustedServiceAccessEnabled ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : networkRules } diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 23fb3c50c4..ff408e1b39 100644 --- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -24,12 +24,12 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules or virtualNetworkRules are being used. | +| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". It will not be set if publicNetworkAccess is "Disabled". Otherwise, it will be set to "Deny" if ipRules or virtualNetworkRules are being used. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `ipRules` | array | `[]` | | List of IpRules. When used, defaultAction will be set to "Deny". | -| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only. | -| `trustedServiceAccessEnabled` | bool | `True` | `[False, True]` | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". | -| `virtualNetworkRules` | array | `[]` | | List virtual network rules. When used, defaultAction will be set to "Deny". | +| `ipRules` | array | `[]` | | List of IpRules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | +| `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | This determines if traffic is allowed over public network. Default is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only and network rules will not be applied. | +| `trustedServiceAccessEnabled` | bool | `True` | `[False, True]` | Value that indicates whether Trusted Service Access is enabled or not. Default is "true". It will not be set if publicNetworkAccess is "Disabled". | +| `virtualNetworkRules` | array | `[]` | | List virtual network rules. It will not be set if publicNetworkAccess is "Disabled". Otherwise, when used, defaultAction will be set to "Deny". | ## Outputs diff --git a/modules/Microsoft.ServiceBus/namespaces/readme.md b/modules/Microsoft.ServiceBus/namespaces/readme.md index 75d9048b9c..94b66c451b 100644 --- a/modules/Microsoft.ServiceBus/namespaces/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/readme.md @@ -420,7 +420,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { virtualNetworkRules: [ { ignoreMissingVnetServiceEndpoint: true - subnet: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-003' + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-003' } ] } @@ -597,7 +597,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "virtualNetworkRules": [ { "ignoreMissingVnetServiceEndpoint": true, - "subnet": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-003" + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-003" } ] }