diff --git a/.azuredevops/modulePipelines/ms.aad.domainservices.yml b/.azuredevops/modulePipelines/ms.aad.domainservices.yml index a11e9a9940..c02fe1a3fa 100644 --- a/.azuredevops/modulePipelines/ms.aad.domainservices.yml +++ b/.azuredevops/modulePipelines/ms.aad.domainservices.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.aad.domainservices.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.AAD/DomainServices/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.analysisservices.servers.yml b/.azuredevops/modulePipelines/ms.analysisservices.servers.yml index 61c1cf2529..b53d702a14 100644 --- a/.azuredevops/modulePipelines/ms.analysisservices.servers.yml +++ b/.azuredevops/modulePipelines/ms.analysisservices.servers.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.analysisservices.servers.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.AnalysisServices/servers/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.apimanagement.service.yml b/.azuredevops/modulePipelines/ms.apimanagement.service.yml index c9ce3c1ec4..890f212a89 100644 --- a/.azuredevops/modulePipelines/ms.apimanagement.service.yml +++ b/.azuredevops/modulePipelines/ms.apimanagement.service.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.apimanagement.service.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.ApiManagement/service/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.appconfiguration.configurationstores.yml b/.azuredevops/modulePipelines/ms.appconfiguration.configurationstores.yml index 71b9c1aaea..8350f6f95f 100644 --- a/.azuredevops/modulePipelines/ms.appconfiguration.configurationstores.yml +++ b/.azuredevops/modulePipelines/ms.appconfiguration.configurationstores.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.appconfiguration.configurationstores.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.AppConfiguration/configurationStores/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.authorization.policyassignments.yml b/.azuredevops/modulePipelines/ms.authorization.policyassignments.yml index 58909f70ec..967137339f 100644 --- a/.azuredevops/modulePipelines/ms.authorization.policyassignments.yml +++ b/.azuredevops/modulePipelines/ms.authorization.policyassignments.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.authorization.policyassignments.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Authorization/policyAssignments/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.authorization.policydefinitions.yml b/.azuredevops/modulePipelines/ms.authorization.policydefinitions.yml index d72e85726e..1e41b0cf37 100644 --- a/.azuredevops/modulePipelines/ms.authorization.policydefinitions.yml +++ b/.azuredevops/modulePipelines/ms.authorization.policydefinitions.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.authorization.policydefinitions.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Authorization/policyDefinitions/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.authorization.policyexemptions.yml b/.azuredevops/modulePipelines/ms.authorization.policyexemptions.yml index bf0ba49d1d..039a963645 100644 --- a/.azuredevops/modulePipelines/ms.authorization.policyexemptions.yml +++ b/.azuredevops/modulePipelines/ms.authorization.policyexemptions.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.authorization.policyexemptions.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Authorization/policyExemptions/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.authorization.policysetdefinitions.yml b/.azuredevops/modulePipelines/ms.authorization.policysetdefinitions.yml index 075a7d1e98..6c35dab6ac 100644 --- a/.azuredevops/modulePipelines/ms.authorization.policysetdefinitions.yml +++ b/.azuredevops/modulePipelines/ms.authorization.policysetdefinitions.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.authorization.policysetdefinitions.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Authorization/policySetDefinitions/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml b/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml index eaf576d22e..f56e0fab07 100644 --- a/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml +++ b/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.authorization.roleassignments.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Authorization/roleAssignments/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.authorization.roledefinitions.yml b/.azuredevops/modulePipelines/ms.authorization.roledefinitions.yml index 7d17acf846..4d097a5a28 100644 --- a/.azuredevops/modulePipelines/ms.authorization.roledefinitions.yml +++ b/.azuredevops/modulePipelines/ms.authorization.roledefinitions.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.authorization.roledefinitions.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Authorization/roleDefinitions/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.automation.automationaccounts.yml b/.azuredevops/modulePipelines/ms.automation.automationaccounts.yml index 712302abd9..6def36bfb8 100644 --- a/.azuredevops/modulePipelines/ms.automation.automationaccounts.yml +++ b/.azuredevops/modulePipelines/ms.automation.automationaccounts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.automation.automationaccounts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Automation/automationAccounts/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.batch.batchaccounts.yml b/.azuredevops/modulePipelines/ms.batch.batchaccounts.yml index 281f7c72c2..696c5c11cf 100644 --- a/.azuredevops/modulePipelines/ms.batch.batchaccounts.yml +++ b/.azuredevops/modulePipelines/ms.batch.batchaccounts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.batch.batchaccounts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Batch/batchAccounts/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml index 56654ea7da..438cd6d3af 100644 --- a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml +++ b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.CognitiveServices/accounts/*' - '/arm/.global/global.module.tests.ps1' exclude: @@ -46,7 +46,6 @@ stages: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - path: $(modulePath)/.parameters/parameters.json - - path: $(modulePath)/.parameters/speech.parameters.json - stage: Publishing displayName: Publishing diff --git a/.azuredevops/modulePipelines/ms.compute.availabilitysets.yml b/.azuredevops/modulePipelines/ms.compute.availabilitysets.yml index c824e8c9be..ced557d6f4 100644 --- a/.azuredevops/modulePipelines/ms.compute.availabilitysets.yml +++ b/.azuredevops/modulePipelines/ms.compute.availabilitysets.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.compute.availabilitysets.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Compute/availabilitySets/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.compute.diskencryptionsets.yml b/.azuredevops/modulePipelines/ms.compute.diskencryptionsets.yml index 7f75460410..687771b964 100644 --- a/.azuredevops/modulePipelines/ms.compute.diskencryptionsets.yml +++ b/.azuredevops/modulePipelines/ms.compute.diskencryptionsets.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.compute.diskencryptionsets.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Compute/diskEncryptionSets/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.compute.disks.yml b/.azuredevops/modulePipelines/ms.compute.disks.yml index 3f9cae557f..0ccabc18d4 100644 --- a/.azuredevops/modulePipelines/ms.compute.disks.yml +++ b/.azuredevops/modulePipelines/ms.compute.disks.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.compute.disks.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Compute/disks/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.compute.galleries.yml b/.azuredevops/modulePipelines/ms.compute.galleries.yml index cf84e0fbef..b3d9d717bf 100644 --- a/.azuredevops/modulePipelines/ms.compute.galleries.yml +++ b/.azuredevops/modulePipelines/ms.compute.galleries.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.compute.galleries.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Compute/galleries/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.compute.images.yml b/.azuredevops/modulePipelines/ms.compute.images.yml index 834db0a5d7..d17925e8d3 100644 --- a/.azuredevops/modulePipelines/ms.compute.images.yml +++ b/.azuredevops/modulePipelines/ms.compute.images.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.compute.images.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Compute/images/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.compute.proximityplacementgroups.yml b/.azuredevops/modulePipelines/ms.compute.proximityplacementgroups.yml index c14f444ee2..cbaa9ea1a0 100644 --- a/.azuredevops/modulePipelines/ms.compute.proximityplacementgroups.yml +++ b/.azuredevops/modulePipelines/ms.compute.proximityplacementgroups.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.compute.proximityplacementgroups.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Compute/proximityPlacementGroups/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.compute.virtualmachines.yml b/.azuredevops/modulePipelines/ms.compute.virtualmachines.yml index 2fc6340f98..f11e36ddab 100644 --- a/.azuredevops/modulePipelines/ms.compute.virtualmachines.yml +++ b/.azuredevops/modulePipelines/ms.compute.virtualmachines.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.compute.virtualmachines.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Compute/virtualMachines/*' - '/arm/.global/global.module.tests.ps1' exclude: @@ -47,10 +47,8 @@ stages: deploymentBlocks: - path: $(modulePath)/.parameters/linux.min.parameters.json - path: $(modulePath)/.parameters/linux.parameters.json - - path: $(modulePath)/.parameters/linux.autmg.parameters.json - path: $(modulePath)/.parameters/windows.min.parameters.json - path: $(modulePath)/.parameters/windows.parameters.json - - path: $(modulePath)/.parameters/windows.autmg.parameters.json - stage: Publishing displayName: Publishing diff --git a/.azuredevops/modulePipelines/ms.compute.virtualmachinescalesets.yml b/.azuredevops/modulePipelines/ms.compute.virtualmachinescalesets.yml index 70b43e3cc6..5dac586912 100644 --- a/.azuredevops/modulePipelines/ms.compute.virtualmachinescalesets.yml +++ b/.azuredevops/modulePipelines/ms.compute.virtualmachinescalesets.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.compute.virtualmachinescalesets.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Compute/virtualMachineScaleSets/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.consumption.budgets.yml b/.azuredevops/modulePipelines/ms.consumption.budgets.yml index ba9e462fa4..219513d6a8 100644 --- a/.azuredevops/modulePipelines/ms.consumption.budgets.yml +++ b/.azuredevops/modulePipelines/ms.consumption.budgets.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.consumption.budgets.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Consumption/budgets/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.containerinstance.containergroups.yml b/.azuredevops/modulePipelines/ms.containerinstance.containergroups.yml index 694b57b52b..ec49b3c6ce 100644 --- a/.azuredevops/modulePipelines/ms.containerinstance.containergroups.yml +++ b/.azuredevops/modulePipelines/ms.containerinstance.containergroups.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.containerinstance.containergroups.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.ContainerInstance/containerGroups/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.containerregistry.registries.yml b/.azuredevops/modulePipelines/ms.containerregistry.registries.yml index dd2760a326..0d0719059b 100644 --- a/.azuredevops/modulePipelines/ms.containerregistry.registries.yml +++ b/.azuredevops/modulePipelines/ms.containerregistry.registries.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.containerregistry.registries.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.ContainerRegistry/registries/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.containerservice.managedclusters.yml b/.azuredevops/modulePipelines/ms.containerservice.managedclusters.yml index 68d4bc63d7..afbfad4d2b 100644 --- a/.azuredevops/modulePipelines/ms.containerservice.managedclusters.yml +++ b/.azuredevops/modulePipelines/ms.containerservice.managedclusters.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.containerservice.managedclusters.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.ContainerService/managedClusters/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.databricks.workspaces.yml b/.azuredevops/modulePipelines/ms.databricks.workspaces.yml index 7ec75b0a9b..36777fe42d 100644 --- a/.azuredevops/modulePipelines/ms.databricks.workspaces.yml +++ b/.azuredevops/modulePipelines/ms.databricks.workspaces.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.databricks.workspaces.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Databricks/workspaces/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.datafactory.factories.yml b/.azuredevops/modulePipelines/ms.datafactory.factories.yml index ccfabaf55b..8f13a4a1fb 100644 --- a/.azuredevops/modulePipelines/ms.datafactory.factories.yml +++ b/.azuredevops/modulePipelines/ms.datafactory.factories.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.datafactory.factories.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.DataFactory/factories/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.dataprotection.backupvaults.yml b/.azuredevops/modulePipelines/ms.dataprotection.backupvaults.yml deleted file mode 100644 index 55ba9a7eea..0000000000 --- a/.azuredevops/modulePipelines/ms.dataprotection.backupvaults.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: 'DataProtection - BackupVaults' - -parameters: - - name: removeDeployment - displayName: Remove deployed module - type: boolean - default: true - - name: prerelease - displayName: Publish prerelease module - type: boolean - default: false - -pr: none - -trigger: - batch: true - branches: - include: - - main - paths: - include: - - '/.azuredevops/modulePipelines/ms.dataprotection.backupvaults.yml' - - '/.azuredevops/pipelineTemplates/*.yml' - - '/arm/Microsoft.DataProtection/vaults/*' - - '/arm/.global/global.module.tests.ps1' - exclude: - - '/**/*.md' - -variables: - - template: '../../global.variables.yml' - - group: 'PLATFORM_VARIABLES' - - name: modulePath - value: '/arm/Microsoft.DataProtection/backupVaults' - -stages: - - stage: Validation - displayName: Static validation - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.validateModulePester.yml - - - stage: Deployment - displayName: Deployment validation - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml - parameters: - removeDeployment: '${{ parameters.removeDeployment }}' - deploymentBlocks: - - path: $(modulePath)/.parameters/min.parameters.json - - path: $(modulePath)/.parameters/parameters.json - - - stage: Publishing - displayName: Publishing - condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq('${{ parameters.prerelease }}', 'true'))) - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.publishModule.yml diff --git a/.azuredevops/modulePipelines/ms.desktopvirtualization.applicationgroups.yml b/.azuredevops/modulePipelines/ms.desktopvirtualization.applicationgroups.yml index 51d36df82c..ea1a3d9f62 100644 --- a/.azuredevops/modulePipelines/ms.desktopvirtualization.applicationgroups.yml +++ b/.azuredevops/modulePipelines/ms.desktopvirtualization.applicationgroups.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.desktopvirtualization.applicationgroups.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.DesktopVirtualization/applicationgroups/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.desktopvirtualization.hostpools.yml b/.azuredevops/modulePipelines/ms.desktopvirtualization.hostpools.yml index 1d1c49a4d2..2a8c19e784 100644 --- a/.azuredevops/modulePipelines/ms.desktopvirtualization.hostpools.yml +++ b/.azuredevops/modulePipelines/ms.desktopvirtualization.hostpools.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.desktopvirtualization.hostpools.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.DesktopVirtualization/hostpools/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.desktopvirtualization.scalingplans.yml b/.azuredevops/modulePipelines/ms.desktopvirtualization.scalingplans.yml index d17711a4bc..bca677f92b 100644 --- a/.azuredevops/modulePipelines/ms.desktopvirtualization.scalingplans.yml +++ b/.azuredevops/modulePipelines/ms.desktopvirtualization.scalingplans.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.desktopvirtualization.scalingplans.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.DesktopVirtualization/scalingplans/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.desktopvirtualization.workspaces.yml b/.azuredevops/modulePipelines/ms.desktopvirtualization.workspaces.yml index cfad4bfdc2..23d24d24b5 100644 --- a/.azuredevops/modulePipelines/ms.desktopvirtualization.workspaces.yml +++ b/.azuredevops/modulePipelines/ms.desktopvirtualization.workspaces.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.desktopvirtualization.workspaces.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.DesktopVirtualization/workspaces/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.documentdb.databaseaccounts.yml b/.azuredevops/modulePipelines/ms.documentdb.databaseaccounts.yml index 4966965b0b..5b319ed878 100644 --- a/.azuredevops/modulePipelines/ms.documentdb.databaseaccounts.yml +++ b/.azuredevops/modulePipelines/ms.documentdb.databaseaccounts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.documentdb.databaseaccounts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.DocumentDB/databaseAccounts/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml b/.azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml index 71a74153cf..7eb88f59d0 100644 --- a/.azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml +++ b/.azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.eventgrid.systemtopics.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.EventGrid/systemTopics/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.eventgrid.topics.yml b/.azuredevops/modulePipelines/ms.eventgrid.topics.yml index 76fbff905a..695b8277bd 100644 --- a/.azuredevops/modulePipelines/ms.eventgrid.topics.yml +++ b/.azuredevops/modulePipelines/ms.eventgrid.topics.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.eventgrid.topics.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.EventGrid/topics/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.eventhub.namespaces.yml b/.azuredevops/modulePipelines/ms.eventhub.namespaces.yml index b3d86604f3..1218276a34 100644 --- a/.azuredevops/modulePipelines/ms.eventhub.namespaces.yml +++ b/.azuredevops/modulePipelines/ms.eventhub.namespaces.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.eventhub.namespaces.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.EventHub/namespaces/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.healthbot.healthbots.yml b/.azuredevops/modulePipelines/ms.healthbot.healthbots.yml index 8e5078a82a..e6a37c0988 100644 --- a/.azuredevops/modulePipelines/ms.healthbot.healthbots.yml +++ b/.azuredevops/modulePipelines/ms.healthbot.healthbots.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.healthbot.healthbots.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.HealthBot/healthBots/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.insights.actiongroups.yml b/.azuredevops/modulePipelines/ms.insights.actiongroups.yml index dcecbc2b6a..379e82a877 100644 --- a/.azuredevops/modulePipelines/ms.insights.actiongroups.yml +++ b/.azuredevops/modulePipelines/ms.insights.actiongroups.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.insights.actiongroups.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Insights/actionGroups/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.insights.activitylogalerts.yml b/.azuredevops/modulePipelines/ms.insights.activitylogalerts.yml index e5de0671d3..8d4c6bd01a 100644 --- a/.azuredevops/modulePipelines/ms.insights.activitylogalerts.yml +++ b/.azuredevops/modulePipelines/ms.insights.activitylogalerts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.insights.activitylogalerts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Insights/activityLogAlerts/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.insights.components.yml b/.azuredevops/modulePipelines/ms.insights.components.yml index 129e5301e2..09c67aefc8 100644 --- a/.azuredevops/modulePipelines/ms.insights.components.yml +++ b/.azuredevops/modulePipelines/ms.insights.components.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.insights.components.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Insights/components/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.insights.diagnosticsettings.yml b/.azuredevops/modulePipelines/ms.insights.diagnosticsettings.yml index d1407b082c..b0850b947a 100644 --- a/.azuredevops/modulePipelines/ms.insights.diagnosticsettings.yml +++ b/.azuredevops/modulePipelines/ms.insights.diagnosticsettings.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.insights.diagnosticsettings.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Insights/diagnosticSettings/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.insights.metricalerts.yml b/.azuredevops/modulePipelines/ms.insights.metricalerts.yml index a92a0c44aa..50d8d342c7 100644 --- a/.azuredevops/modulePipelines/ms.insights.metricalerts.yml +++ b/.azuredevops/modulePipelines/ms.insights.metricalerts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.insights.metricalerts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Insights/metricAlerts/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.insights.privatelinkscopes.yml b/.azuredevops/modulePipelines/ms.insights.privatelinkscopes.yml index f2f22672c9..9f3170f52f 100644 --- a/.azuredevops/modulePipelines/ms.insights.privatelinkscopes.yml +++ b/.azuredevops/modulePipelines/ms.insights.privatelinkscopes.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.insights.privatelinkscopes.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Insights/privateLinkScopes/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.insights.scheduledqueryrules.yml b/.azuredevops/modulePipelines/ms.insights.scheduledqueryrules.yml index cf0a3e7e2c..7c09a7ca28 100644 --- a/.azuredevops/modulePipelines/ms.insights.scheduledqueryrules.yml +++ b/.azuredevops/modulePipelines/ms.insights.scheduledqueryrules.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.insights.scheduledqueryrules.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Insights/scheduledQueryRules/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.keyvault.vaults.yml b/.azuredevops/modulePipelines/ms.keyvault.vaults.yml index dd9f52090d..8c3b531f95 100644 --- a/.azuredevops/modulePipelines/ms.keyvault.vaults.yml +++ b/.azuredevops/modulePipelines/ms.keyvault.vaults.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.keyvault.vaults.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.KeyVault/vaults/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.kubernetesconfiguration.extensions.yml b/.azuredevops/modulePipelines/ms.kubernetesconfiguration.extensions.yml index 6e4a9957b8..cc977eaa62 100644 --- a/.azuredevops/modulePipelines/ms.kubernetesconfiguration.extensions.yml +++ b/.azuredevops/modulePipelines/ms.kubernetesconfiguration.extensions.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.kubernetesconfiguration.extensions.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.KubernetesConfiguration/extensions/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.kubernetesconfiguration.fluxconfigurations.yml b/.azuredevops/modulePipelines/ms.kubernetesconfiguration.fluxconfigurations.yml index cc43f6e135..9d21bee8cd 100644 --- a/.azuredevops/modulePipelines/ms.kubernetesconfiguration.fluxconfigurations.yml +++ b/.azuredevops/modulePipelines/ms.kubernetesconfiguration.fluxconfigurations.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.kubernetesconfiguration.fluxconfigurations.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.KubernetesConfiguration/fluxConfigurations/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.logic.workflows.yml b/.azuredevops/modulePipelines/ms.logic.workflows.yml index 661b4d355c..3fb2b7be5f 100644 --- a/.azuredevops/modulePipelines/ms.logic.workflows.yml +++ b/.azuredevops/modulePipelines/ms.logic.workflows.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.logic.workflows.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Logic/workflows/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml b/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml index d309cdb975..6f5d0a1cc8 100644 --- a/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml +++ b/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.MachineLearningServices/workspaces/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.managedidentity.userassignedidentities.yml b/.azuredevops/modulePipelines/ms.managedidentity.userassignedidentities.yml index 80121f67e5..88b09b383e 100644 --- a/.azuredevops/modulePipelines/ms.managedidentity.userassignedidentities.yml +++ b/.azuredevops/modulePipelines/ms.managedidentity.userassignedidentities.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.managedidentity.userassignedidentities.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.ManagedIdentity/userAssignedIdentities/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.managedservices.registrationdefinitions.yml b/.azuredevops/modulePipelines/ms.managedservices.registrationdefinitions.yml index 62fee30f9b..965acdc8bd 100644 --- a/.azuredevops/modulePipelines/ms.managedservices.registrationdefinitions.yml +++ b/.azuredevops/modulePipelines/ms.managedservices.registrationdefinitions.yml @@ -4,7 +4,7 @@ parameters: - name: removeDeployment displayName: Remove deployed module type: boolean - default: true + default: false # Needs a custom removal script - name: prerelease displayName: Publish prerelease module type: boolean @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.managedservices.registrationdefinitions.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.ManagedServices/registrationDefinitions/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.management.managementgroups.yml b/.azuredevops/modulePipelines/ms.management.managementgroups.yml index 308ff44dc5..615ab227ee 100644 --- a/.azuredevops/modulePipelines/ms.management.managementgroups.yml +++ b/.azuredevops/modulePipelines/ms.management.managementgroups.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.management.managementgroups.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Management/managementGroups/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.netapp.netappaccounts.yml b/.azuredevops/modulePipelines/ms.netapp.netappaccounts.yml index 2b161f504d..d0756d5c19 100644 --- a/.azuredevops/modulePipelines/ms.netapp.netappaccounts.yml +++ b/.azuredevops/modulePipelines/ms.netapp.netappaccounts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.netapp.netappaccounts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.NetApp/netAppAccounts/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.applicationgateways.yml b/.azuredevops/modulePipelines/ms.network.applicationgateways.yml index 6225a4f68c..11d414aaf6 100644 --- a/.azuredevops/modulePipelines/ms.network.applicationgateways.yml +++ b/.azuredevops/modulePipelines/ms.network.applicationgateways.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.applicationgateways.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/applicationGateways/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.applicationsecuritygroups.yml b/.azuredevops/modulePipelines/ms.network.applicationsecuritygroups.yml index f4e3156552..d937443a98 100644 --- a/.azuredevops/modulePipelines/ms.network.applicationsecuritygroups.yml +++ b/.azuredevops/modulePipelines/ms.network.applicationsecuritygroups.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.applicationsecuritygroups.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/applicationSecurityGroups/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.azurefirewalls.yml b/.azuredevops/modulePipelines/ms.network.azurefirewalls.yml index 4a55274d85..c8ab5e6758 100644 --- a/.azuredevops/modulePipelines/ms.network.azurefirewalls.yml +++ b/.azuredevops/modulePipelines/ms.network.azurefirewalls.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.azurefirewalls.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/azureFirewalls/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.bastionhosts.yml b/.azuredevops/modulePipelines/ms.network.bastionhosts.yml index a456581930..4aa3213912 100644 --- a/.azuredevops/modulePipelines/ms.network.bastionhosts.yml +++ b/.azuredevops/modulePipelines/ms.network.bastionhosts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.bastionhosts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/bastionHosts/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.connections.yml b/.azuredevops/modulePipelines/ms.network.connections.yml index 2111b74e77..6b4cc11764 100644 --- a/.azuredevops/modulePipelines/ms.network.connections.yml +++ b/.azuredevops/modulePipelines/ms.network.connections.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.connections.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/connections/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.ddosprotectionplans.yml b/.azuredevops/modulePipelines/ms.network.ddosprotectionplans.yml index 0f63e495bc..b7ef751770 100644 --- a/.azuredevops/modulePipelines/ms.network.ddosprotectionplans.yml +++ b/.azuredevops/modulePipelines/ms.network.ddosprotectionplans.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.ddosprotectionplans.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/ddosProtectionPlans/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.expressroutecircuits.yml b/.azuredevops/modulePipelines/ms.network.expressroutecircuits.yml index 1fc686d50f..51f4921c27 100644 --- a/.azuredevops/modulePipelines/ms.network.expressroutecircuits.yml +++ b/.azuredevops/modulePipelines/ms.network.expressroutecircuits.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.expressroutecircuits.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/expressRouteCircuits/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.firewallpolicies.yml b/.azuredevops/modulePipelines/ms.network.firewallpolicies.yml index 69a52d6e60..1025c854d8 100644 --- a/.azuredevops/modulePipelines/ms.network.firewallpolicies.yml +++ b/.azuredevops/modulePipelines/ms.network.firewallpolicies.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.firewallpolicies.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/firewallpolicies/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.frontdoors.yml b/.azuredevops/modulePipelines/ms.network.frontdoors.yml index 6ef0c447e5..aec0e387fd 100644 --- a/.azuredevops/modulePipelines/ms.network.frontdoors.yml +++ b/.azuredevops/modulePipelines/ms.network.frontdoors.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.frontdoors.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/frontDoors/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.ipgroups.yml b/.azuredevops/modulePipelines/ms.network.ipgroups.yml index 2cebe6016a..e89f72c24e 100644 --- a/.azuredevops/modulePipelines/ms.network.ipgroups.yml +++ b/.azuredevops/modulePipelines/ms.network.ipgroups.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.ipgroups.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/ipGroups/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.loadbalancers.yml b/.azuredevops/modulePipelines/ms.network.loadbalancers.yml index 1ab86396d9..120694c31a 100644 --- a/.azuredevops/modulePipelines/ms.network.loadbalancers.yml +++ b/.azuredevops/modulePipelines/ms.network.loadbalancers.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.loadbalancers.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/loadBalancers/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.localnetworkgateways.yml b/.azuredevops/modulePipelines/ms.network.localnetworkgateways.yml index 74c7f3f7bd..84f45e752d 100644 --- a/.azuredevops/modulePipelines/ms.network.localnetworkgateways.yml +++ b/.azuredevops/modulePipelines/ms.network.localnetworkgateways.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.localnetworkgateways.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/localNetworkGateways/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.natgateways.yml b/.azuredevops/modulePipelines/ms.network.natgateways.yml index 036aebbf69..b2f9f8a1b8 100644 --- a/.azuredevops/modulePipelines/ms.network.natgateways.yml +++ b/.azuredevops/modulePipelines/ms.network.natgateways.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.natgateways.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/natGateways/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.networkinterfaces.yml b/.azuredevops/modulePipelines/ms.network.networkinterfaces.yml index ce5051d2f2..b4c77b7569 100644 --- a/.azuredevops/modulePipelines/ms.network.networkinterfaces.yml +++ b/.azuredevops/modulePipelines/ms.network.networkinterfaces.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.networkinterfaces.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/networkInterfaces/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.networksecuritygroups.yml b/.azuredevops/modulePipelines/ms.network.networksecuritygroups.yml index 97508a03c9..5ffdc7ec21 100644 --- a/.azuredevops/modulePipelines/ms.network.networksecuritygroups.yml +++ b/.azuredevops/modulePipelines/ms.network.networksecuritygroups.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.networksecuritygroups.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/networkSecurityGroups/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.networkwatchers.yml b/.azuredevops/modulePipelines/ms.network.networkwatchers.yml index e18f04f34c..826a30bbf6 100644 --- a/.azuredevops/modulePipelines/ms.network.networkwatchers.yml +++ b/.azuredevops/modulePipelines/ms.network.networkwatchers.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.networkwatchers.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/networkWatchers/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.privatednszones.yml b/.azuredevops/modulePipelines/ms.network.privatednszones.yml index 9b152568fb..d27438d5cc 100644 --- a/.azuredevops/modulePipelines/ms.network.privatednszones.yml +++ b/.azuredevops/modulePipelines/ms.network.privatednszones.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.privatednszones.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/privateDnsZones/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.privateendpoints.yml b/.azuredevops/modulePipelines/ms.network.privateendpoints.yml index fd9b955ead..b83d1b1a99 100644 --- a/.azuredevops/modulePipelines/ms.network.privateendpoints.yml +++ b/.azuredevops/modulePipelines/ms.network.privateendpoints.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.privateendpoints.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/privateEndpoints/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.publicipaddresses.yml b/.azuredevops/modulePipelines/ms.network.publicipaddresses.yml index 2bf7ddc62e..16ecbb04b7 100644 --- a/.azuredevops/modulePipelines/ms.network.publicipaddresses.yml +++ b/.azuredevops/modulePipelines/ms.network.publicipaddresses.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.publicipaddresses.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/publicIPAddresses/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.publicipprefixes.yml b/.azuredevops/modulePipelines/ms.network.publicipprefixes.yml index 4b779ece81..0b26d934ae 100644 --- a/.azuredevops/modulePipelines/ms.network.publicipprefixes.yml +++ b/.azuredevops/modulePipelines/ms.network.publicipprefixes.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.publicipprefixes.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/publicIPPrefixes/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.routetables.yml b/.azuredevops/modulePipelines/ms.network.routetables.yml index 1aac7ed90d..bbe6fc2ea4 100644 --- a/.azuredevops/modulePipelines/ms.network.routetables.yml +++ b/.azuredevops/modulePipelines/ms.network.routetables.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.routetables.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/routeTables/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.trafficmanagerprofiles.yml b/.azuredevops/modulePipelines/ms.network.trafficmanagerprofiles.yml index 45d8db3d5a..b945593f93 100644 --- a/.azuredevops/modulePipelines/ms.network.trafficmanagerprofiles.yml +++ b/.azuredevops/modulePipelines/ms.network.trafficmanagerprofiles.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.trafficmanagerprofiles.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/trafficmanagerprofiles/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.virtualhubs.yml b/.azuredevops/modulePipelines/ms.network.virtualhubs.yml index c117fae374..1ee1fa014c 100644 --- a/.azuredevops/modulePipelines/ms.network.virtualhubs.yml +++ b/.azuredevops/modulePipelines/ms.network.virtualhubs.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.virtualhubs.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/virtualHubs/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.virtualnetworkgateways.yml b/.azuredevops/modulePipelines/ms.network.virtualnetworkgateways.yml index 51a9c6a5a6..8e5dd86bae 100644 --- a/.azuredevops/modulePipelines/ms.network.virtualnetworkgateways.yml +++ b/.azuredevops/modulePipelines/ms.network.virtualnetworkgateways.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.virtualnetworkgateways.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/virtualNetworkGateways/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.virtualnetworks.yml b/.azuredevops/modulePipelines/ms.network.virtualnetworks.yml index 8d1ae7e5dc..a64315fd44 100644 --- a/.azuredevops/modulePipelines/ms.network.virtualnetworks.yml +++ b/.azuredevops/modulePipelines/ms.network.virtualnetworks.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.virtualnetworks.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/virtualNetworks/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.virtualwans.yml b/.azuredevops/modulePipelines/ms.network.virtualwans.yml index b507e19983..4641306f77 100644 --- a/.azuredevops/modulePipelines/ms.network.virtualwans.yml +++ b/.azuredevops/modulePipelines/ms.network.virtualwans.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.virtualwans.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/virtualWans/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.vpngateways.yml b/.azuredevops/modulePipelines/ms.network.vpngateways.yml index cc2d3f9c8b..3ad60dfcc1 100644 --- a/.azuredevops/modulePipelines/ms.network.vpngateways.yml +++ b/.azuredevops/modulePipelines/ms.network.vpngateways.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.vpngateways.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/vpnGateways/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.network.vpnsites.yml b/.azuredevops/modulePipelines/ms.network.vpnsites.yml index 2c9be39166..db7f94f23b 100644 --- a/.azuredevops/modulePipelines/ms.network.vpnsites.yml +++ b/.azuredevops/modulePipelines/ms.network.vpnsites.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.network.vpnsites.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Network/vpnSites/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.operationalinsights.workspaces.yml b/.azuredevops/modulePipelines/ms.operationalinsights.workspaces.yml index daf7fc3728..ccc86d3434 100644 --- a/.azuredevops/modulePipelines/ms.operationalinsights.workspaces.yml +++ b/.azuredevops/modulePipelines/ms.operationalinsights.workspaces.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.operationalinsights.workspaces.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.OperationalInsights/workspaces/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.operationsmanagement.solutions.yml b/.azuredevops/modulePipelines/ms.operationsmanagement.solutions.yml deleted file mode 100644 index 483f0184d5..0000000000 --- a/.azuredevops/modulePipelines/ms.operationsmanagement.solutions.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: 'OperationsManagement - Solutions' - -parameters: - - name: removeDeployment - displayName: Remove deployed module - type: boolean - default: true - - name: prerelease - displayName: Publish prerelease module - type: boolean - default: false - -pr: none - -trigger: - batch: true - branches: - include: - - main - paths: - include: - - '/.azuredevops/modulePipelines/ms.operationsmanagement.solutions.yml' - - '/.azuredevops/pipelineTemplates/*.yml' - - '/arm/Microsoft.OperationsManagement/solutions/*' - - '/arm/.global/global.module.tests.ps1' - exclude: - - '/**/*.md' - -variables: - - template: '../../global.variables.yml' - - group: 'PLATFORM_VARIABLES' - - name: modulePath - value: '/arm/Microsoft.OperationsManagement/solutions' - -stages: - - stage: Validation - displayName: Static validation - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.validateModulePester.yml - - - stage: Deployment - displayName: Deployment validation - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml - parameters: - removeDeployment: '${{ parameters.removeDeployment }}' - deploymentBlocks: - - path: $(modulePath)/.parameters/min.parameters.json - - path: $(modulePath)/.parameters/nonms.parameters.json - - path: $(modulePath)/.parameters/ms.parameters.json - - - stage: Publishing - displayName: Publishing - condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq('${{ parameters.prerelease }}', 'true'))) - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.publishModule.yml diff --git a/.azuredevops/modulePipelines/ms.recoveryservices.vaults.yml b/.azuredevops/modulePipelines/ms.recoveryservices.vaults.yml index bc65e9622b..c2f152f702 100644 --- a/.azuredevops/modulePipelines/ms.recoveryservices.vaults.yml +++ b/.azuredevops/modulePipelines/ms.recoveryservices.vaults.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.recoveryservices.vaults.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.RecoveryServices/vaults/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.resources.deploymentscripts.yml b/.azuredevops/modulePipelines/ms.resources.deploymentscripts.yml index cd826e0c27..e8e7958d4a 100644 --- a/.azuredevops/modulePipelines/ms.resources.deploymentscripts.yml +++ b/.azuredevops/modulePipelines/ms.resources.deploymentscripts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.resources.deploymentscripts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Resources/deploymentScripts/*' - '/arm/.global/global.module.tests.ps1' exclude: @@ -48,6 +48,7 @@ stages: - path: $(modulePath)/.parameters/cli.parameters.json - path: $(modulePath)/.parameters/ps.parameters.json + - stage: Publishing displayName: Publishing condition: and(succeeded(), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq('${{ parameters.prerelease }}', 'true'))) diff --git a/.azuredevops/modulePipelines/ms.resources.resourcegroups.yml b/.azuredevops/modulePipelines/ms.resources.resourcegroups.yml index 9bde0ab4fc..aa30667d78 100644 --- a/.azuredevops/modulePipelines/ms.resources.resourcegroups.yml +++ b/.azuredevops/modulePipelines/ms.resources.resourcegroups.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.resources.resourcegroups.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Resources/resourceGroups/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.resources.tags.yml b/.azuredevops/modulePipelines/ms.resources.tags.yml index d0fe3f9404..1191adfdc1 100644 --- a/.azuredevops/modulePipelines/ms.resources.tags.yml +++ b/.azuredevops/modulePipelines/ms.resources.tags.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.resources.tags.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Resources/tags/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.security.azuresecuritycenter.yml b/.azuredevops/modulePipelines/ms.security.azuresecuritycenter.yml index a08f557ef1..5ebbe28dec 100644 --- a/.azuredevops/modulePipelines/ms.security.azuresecuritycenter.yml +++ b/.azuredevops/modulePipelines/ms.security.azuresecuritycenter.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.security.azuresecuritycenter.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Security/azureSecurityCenter/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.servicebus.namespaces.yml b/.azuredevops/modulePipelines/ms.servicebus.namespaces.yml index d555a10dde..9705d56759 100644 --- a/.azuredevops/modulePipelines/ms.servicebus.namespaces.yml +++ b/.azuredevops/modulePipelines/ms.servicebus.namespaces.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.servicebus.namespaces.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.ServiceBus/namespaces/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.servicefabric.clusters.yml b/.azuredevops/modulePipelines/ms.servicefabric.clusters.yml index 34031c7247..044ed42793 100644 --- a/.azuredevops/modulePipelines/ms.servicefabric.clusters.yml +++ b/.azuredevops/modulePipelines/ms.servicefabric.clusters.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.servicefabric.clusters.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/Microsoft.ServiceFabric/clusters/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.sql.managedinstances.yml b/.azuredevops/modulePipelines/ms.sql.managedinstances.yml index 2a063183c0..fc218e771e 100644 --- a/.azuredevops/modulePipelines/ms.sql.managedinstances.yml +++ b/.azuredevops/modulePipelines/ms.sql.managedinstances.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.sql.managedinstances.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Sql/managedInstances/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.sql.servers.yml b/.azuredevops/modulePipelines/ms.sql.servers.yml index c644d3a1df..d73e2796a1 100644 --- a/.azuredevops/modulePipelines/ms.sql.servers.yml +++ b/.azuredevops/modulePipelines/ms.sql.servers.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.sql.servers.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Sql/servers/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.storage.storageaccounts.yml b/.azuredevops/modulePipelines/ms.storage.storageaccounts.yml index 51f381d312..5c38fd0527 100644 --- a/.azuredevops/modulePipelines/ms.storage.storageaccounts.yml +++ b/.azuredevops/modulePipelines/ms.storage.storageaccounts.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.storage.storageaccounts.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Storage/storageAccounts/*' - '/arm/.global/global.module.tests.ps1' exclude: @@ -49,7 +49,6 @@ stages: - path: $(modulePath)/.parameters/nfs.parameters.json - path: $(modulePath)/.parameters/parameters.json - path: $(modulePath)/.parameters/v1.parameters.json - - path: $(modulePath)/.parameters/encr.parameters.json - stage: Publishing displayName: Publishing diff --git a/.azuredevops/modulePipelines/ms.synapse.privatelinkhubs.yml b/.azuredevops/modulePipelines/ms.synapse.privatelinkhubs.yml index e34d190ed5..cd4e58b8b7 100644 --- a/.azuredevops/modulePipelines/ms.synapse.privatelinkhubs.yml +++ b/.azuredevops/modulePipelines/ms.synapse.privatelinkhubs.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.synapse.privatelinkhubs.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Synapse/privateLinkHubs/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.virtualmachineimages.imagetemplates.yml b/.azuredevops/modulePipelines/ms.virtualmachineimages.imagetemplates.yml index 525c02e6fb..7eb6002e95 100644 --- a/.azuredevops/modulePipelines/ms.virtualmachineimages.imagetemplates.yml +++ b/.azuredevops/modulePipelines/ms.virtualmachineimages.imagetemplates.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.virtualmachineimages.imagetemplates.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.VirtualMachineImages/imageTemplates/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.web.connections.yml b/.azuredevops/modulePipelines/ms.web.connections.yml index 9abaa4136d..ec6b0e1ec8 100644 --- a/.azuredevops/modulePipelines/ms.web.connections.yml +++ b/.azuredevops/modulePipelines/ms.web.connections.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.web.connections.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Web/connections/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.web.hostingenvironments.yml b/.azuredevops/modulePipelines/ms.web.hostingenvironments.yml index fc2abe59b5..306170dfb7 100644 --- a/.azuredevops/modulePipelines/ms.web.hostingenvironments.yml +++ b/.azuredevops/modulePipelines/ms.web.hostingenvironments.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.web.hostingenvironments.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Web/hostingEnvironments/*' - '/arm/.global/global.module.tests.ps1' exclude: @@ -45,8 +45,7 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - - path: $(modulePath)/.parameters/asev2.parameters.json - - path: $(modulePath)/.parameters/asev3.parameters.json + - path: $(modulePath)/.parameters/parameters.json defaultJobTimeoutInMinutes: 180 - stage: Publishing diff --git a/.azuredevops/modulePipelines/ms.web.serverfarms.yml b/.azuredevops/modulePipelines/ms.web.serverfarms.yml index 285b2ce94b..309a23b009 100644 --- a/.azuredevops/modulePipelines/ms.web.serverfarms.yml +++ b/.azuredevops/modulePipelines/ms.web.serverfarms.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.web.serverfarms.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Web/serverfarms/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.web.sites.yml b/.azuredevops/modulePipelines/ms.web.sites.yml index 2c7584cd63..dbdd9e2079 100644 --- a/.azuredevops/modulePipelines/ms.web.sites.yml +++ b/.azuredevops/modulePipelines/ms.web.sites.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.web.sites.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Web/sites/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/modulePipelines/ms.web.staticsites.yml b/.azuredevops/modulePipelines/ms.web.staticsites.yml index 7784a2ce12..f7e912c9e3 100644 --- a/.azuredevops/modulePipelines/ms.web.staticsites.yml +++ b/.azuredevops/modulePipelines/ms.web.staticsites.yml @@ -20,7 +20,7 @@ trigger: paths: include: - '/.azuredevops/modulePipelines/ms.web.staticsites.yml' - - '/.azuredevops/pipelineTemplates/*.yml' + - '/.azuredevops/pipelineTemplates/module.*.yml' - '/arm/Microsoft.Web/staticSites/*' - '/arm/.global/global.module.tests.ps1' exclude: diff --git a/.azuredevops/pipelineTemplates/jobs.publishModule.yml b/.azuredevops/pipelineTemplates/jobs.publishModule.yml index 622e05a8e5..b4b6db816c 100644 --- a/.azuredevops/pipelineTemplates/jobs.publishModule.yml +++ b/.azuredevops/pipelineTemplates/jobs.publishModule.yml @@ -268,7 +268,6 @@ jobs: scriptLocation: inlineScript inlineScript: | # Log into Az-PowerShell context - . $profile # Load PS-Profile configuration $SecuredPassword = ConvertTo-SecureString -AsPlainText -String $env:servicePrincipalKey $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:servicePrincipalId, $SecuredPassword Connect-AzAccount -ServicePrincipal -TenantId $env:tenantId -Credential $Credential @@ -311,4 +310,4 @@ jobs: Publish-ModuleToPrivateBicepRegistry @functionInput -Verbose Write-Host "##[endgroup]" - } + } \ No newline at end of file diff --git a/.azuredevops/pipelineTemplates/jobs.validateModulePester.yml b/.azuredevops/pipelineTemplates/jobs.validateModulePester.yml index 9e2870a142..b5711d27b3 100644 --- a/.azuredevops/pipelineTemplates/jobs.validateModulePester.yml +++ b/.azuredevops/pipelineTemplates/jobs.validateModulePester.yml @@ -152,11 +152,11 @@ jobs: if (-not [String]::IsNullOrEmpty('${{ parameters.managementGroupId }}')) { $enforcedTokenList['managementGroupId'] = '${{ parameters.managementGroupId }}' } - if (-not [String]::IsNullOrEmpty('$(DEPLOYMENT_SP_ID)')) { - $enforcedTokenList['deploymentSpId'] = '$(DEPLOYMENT_SP_ID)' - } if (-not [String]::IsNullOrEmpty('$(ARM_TENANT_ID)')) { - $enforcedTokenList['tenantId'] = '$(ARM_TENANT_ID)' + $enforcedTokenList['deploymentSpId'] = '$(ARM_TENANT_ID)' + } + if (-not [String]::IsNullOrEmpty('$(DEPLOYMENT_SP_ID)')) { + $enforcedTokenList['tenantId'] = '$(DEPLOYMENT_SP_ID)' } # --------------------- # @@ -169,6 +169,9 @@ jobs: enforcedTokenList = $enforcedTokenList } } + Filter = @{ + ExcludeTag = 'ApiCheck' + } TestResult = @{ TestSuiteName = 'Global Module Tests' OutputPath = 'arm/.global/global-testResults.xml' @@ -191,3 +194,111 @@ jobs: searchFolder: 'arm/.global' continueOnError: false condition: succeededOrFailed() + + - job: + displayName: Run global API tests + timeoutInMinutes: ${{ parameters.defaultJobTimeoutInMinutes }} + pool: + ${{ if ne(parameters.vmImage, '') }}: + vmImage: ${{ parameters.vmImage }} + ${{ if ne(parameters.poolName, '') }}: + name: ${{ parameters.poolName }} + steps: + # [Checkout Repositories] task(s) + #-------------------------------- + - checkout: self + - ${{ if ne(parameters.checkoutRepositories, '') }}: + - ${{ each checkoutRepository in parameters.checkoutRepositories }}: + - checkout: ${{ checkoutRepository }} + fetchDepth: 1 # the depth of commits to ask Git to fetch; if not set defaults to no limit + path: 's/${{ checkoutRepository }}' + + # [Multi Repo] Support task + #-------------------------- + - task: PowerShell@2 + displayName: Handle Multi-Repo Invocation + inputs: + targetType: inline + pwsh: true + script: | + # Handle multiple-repositories + if( "${{ join(';',parameters.checkoutRepositories) }}".length -gt 0) { + Write-Verbose "Multi-Repo Checkout" -Verbose + $moduleRepoRoot = Join-Path '$(System.DefaultWorkingDirectory)' '$(modulesRepository)' + $parametersRepoRoot = Join-Path '$(System.DefaultWorkingDirectory)' '${{ parameters.parametersRepository }}' + } else { + Write-Verbose "No Multi-Repo Checkout" -Verbose + $moduleRepoRoot = '$(System.DefaultWorkingDirectory)' + $parametersRepoRoot = '$(System.DefaultWorkingDirectory)' + } + Write-Output "##vso[task.setvariable variable=ModuleRepoRoot]$moduleRepoRoot" + Write-Output "##vso[task.setvariable variable=ParametersRepoRoot]$parametersRepoRoot" + + # [Agent] Prepare environment + #---------------------------- + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(moduleRepoRoot)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + + # [Module Pester Test] task(s) + #----------------------------- + - task: AzurePowerShell@5 + displayName: 'Run API tests via (Pester) via connection [${{ parameters.serviceConnection }}]' + inputs: + azureSubscription: ${{ parameters.serviceConnection }} + azurePowerShellVersion: ${{ parameters.azurePowerShellVersion }} + preferredAzurePowerShellVersion: ${{ parameters.preferredAzurePowerShellVersion }} + ScriptType: InlineScript + pwsh: true + inline: | + $moduleFolderPaths = @(Join-Path '$(moduleRepoRoot)' '${{ parameters.modulePath }}') + $moduleFolderPaths += (Get-ChildItem $moduleFolderPaths -Recurse -Directory -Force).FullName | Where-Object { + (Get-ChildItem $_ -File -Depth 0 -Include @('deploy.json', 'deploy.bicep') -Force).Count -gt 0 + } + Write-Verbose "Execute tests in path(s):" -Verbose + foreach($moduleFolderPath in $moduleFolderPaths) { + Write-Verbose "- [($moduleFolderPath]" -Verbose + } + + # --------------------- # + # Invoke Pester test(s) # + # --------------------- # + Invoke-Pester -Configuration @{ + Run = @{ + Container = New-PesterContainer -Path (Join-Path '$(moduleRepoRoot)' 'arm' '.global' 'global.module.tests.ps1') -Data @{ + moduleFolderPaths = $moduleFolderPaths + } + } + Filter = @{ + Tag = 'ApiCheck' + } + TestResult = @{ + TestSuiteName = 'Global Module API Tests' + OutputPath = 'arm/.global/api-testResults.xml' + OutputFormat = 'NUnitXml' + Enabled = $true + } + Output = @{ + Verbosity = 'Detailed' + } + } -ErrorAction 'Stop' + errorActionPreference: continue + + - task: PublishTestResults@2 + displayName: Publish Test Results + inputs: + testRunTitle: 'Global Module API Tests' + testResultsFormat: NUnit + testResultsFiles: api-testResults.xml + failTaskOnFailedTests: true + searchFolder: 'arm/.global' + continueOnError: false + condition: succeededOrFailed() diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 2d7edbd607..5022693228 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -547,9 +547,6 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/fw.additional.parameters.json templateFilePath: $(templateFilePath) displayName: Firewall Additional Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/bas.additional.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Additional Public IP - stage: deploy_appi displayName: Deploy application insight dependsOn: @@ -928,7 +925,7 @@ stages: displayName: Default Virtual Network - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json templateFilePath: $(templateFilePath) - displayName: Bastion Virtual Network Min + displayName: Bastion Virtual Network - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json templateFilePath: $(templateFilePath) displayName: VNET PEering 1 Virtual Network @@ -952,17 +949,7 @@ stages: displayName: Azure Firewall Virtual Network Min - path: $(dependencyPath)/$(resourceType)/parameters/10.azfw.parameters.json templateFilePath: $(templateFilePath) - displayName: Azure Firewall Virtual Network Additonal - - path: $(dependencyPath)/$(resourceType)/parameters/11.azfw.parameters.json - templateFilePath: $(templateFilePath) - displayName: Azure Firewall Virtual Network Custom - - path: $(dependencyPath)/$(resourceType)/parameters/12.bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Virtual Network Additional - - path: $(dependencyPath)/$(resourceType)/parameters/13.bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Virtual Network Custom - + displayName: Azure Firewall Virtual Network Custom Pip - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json templateFilePath: $(templateFilePath) diff --git a/.azuredevops/platformPipelines/platform.updateReadMe.yml b/.azuredevops/platformPipelines/platform.updateReadMe.yml index d2eb068bf0..13ebd9444d 100644 --- a/.azuredevops/platformPipelines/platform.updateReadMe.yml +++ b/.azuredevops/platformPipelines/platform.updateReadMe.yml @@ -13,7 +13,7 @@ trigger: - 'arm/**/deploy.json' variables: - - template: '../../global.variables.yml' + - template: '/.azuredevops/pipelineVariables/global.variables.yml' - name: pipelinePrincipalGitUserName value: 'CARMLPipelinePrincipal' - name: pipelinePrincipalGitUserEmail diff --git a/.azuredevops/platformPipelines/platform.wiki-sync.yml b/.azuredevops/platformPipelines/platform.wiki-sync.yml index 0d9809af6f..f63c80fb75 100644 --- a/.azuredevops/platformPipelines/platform.wiki-sync.yml +++ b/.azuredevops/platformPipelines/platform.wiki-sync.yml @@ -16,7 +16,7 @@ trigger: variables: - group: 'PLATFORM_VARIABLES' - - template: '../../global.variables.yml' + - template: '/.azuredevops/pipelineVariables/global.variables.yml' - name: pipelinePrincipalGitUserName value: 'CARMLPipelinePrincipal' - name: pipelinePrincipalGitUserEmail diff --git a/.github/actions/templates/publishModule/action.yml b/.github/actions/templates/publishModule/action.yml index cb3a327922..598e787e87 100644 --- a/.github/actions/templates/publishModule/action.yml +++ b/.github/actions/templates/publishModule/action.yml @@ -92,89 +92,85 @@ runs: enable-AzPSSession: true - name: 'Publish module to template specs' + shell: pwsh if: ${{ inputs.templateSpecsDoPublish == 'true' }} - uses: azure/powershell@v1 - with: - azPSVersion: 'latest' - inlineScript: | - # Grouping task logs - Write-Output "::group::Publish module to template specs" + run: | + # Grouping task logs + Write-Output "::group::Publish module to template specs" + + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourcePublish' 'Get-ModulesToPublish.ps1') + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourcePublish' 'Publish-ModuleToTemplateSpec.ps1') + + $functionInput = @{ + TemplateFilePath = Join-Path $env:GITHUB_WORKSPACE "${{ inputs.templateFilePath }}" + } - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourcePublish' 'Get-ModulesToPublish.ps1') - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourcePublish' 'Publish-ModuleToTemplateSpec.ps1') + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Get the modified child resources + $ModulesToPublish = Get-ModulesToPublish @functionInput -Verbose + + # Publish the modified child resources + foreach ($ModuleToPublish in $ModulesToPublish) { + $RelPath = (($ModuleToPublish.TemplateFilePath).Split('/arm/')[-1]).Split('/deploy.')[0] + Write-Output "::group::$(' - [{0}] [{1}]' -f $RelPath, $ModuleToPublish.Version)" $functionInput = @{ - TemplateFilePath = Join-Path $env:GITHUB_WORKSPACE "${{ inputs.templateFilePath }}" + TemplateFilePath = $ModuleToPublish.TemplateFilePath + TemplateSpecsRgName = '${{ inputs.templateSpecsRgName }}' + TemplateSpecsRgLocation = '${{ inputs.templateSpecsRgLocation }}' + TemplateSpecsDescription = '${{ inputs.templateSpecsDescription }}' + ModuleVersion = $ModuleToPublish.Version } Write-Verbose "Invoke task with" -Verbose Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - # Get the modified child resources - $ModulesToPublish = Get-ModulesToPublish @functionInput -Verbose + Publish-ModuleToTemplateSpec @functionInput -Verbose + } - # Publish the modified child resources - foreach ($ModuleToPublish in $ModulesToPublish) { - $RelPath = (($ModuleToPublish.TemplateFilePath).Split('/arm/')[-1]).Split('/deploy.')[0] - Write-Output "::group::$(' - [{0}] [{1}]' -f $RelPath, $ModuleToPublish.Version)" + Write-Output "::endgroup::" - $functionInput = @{ - TemplateFilePath = $ModuleToPublish.TemplateFilePath - TemplateSpecsRgName = '${{ inputs.templateSpecsRgName }}' - TemplateSpecsRgLocation = '${{ inputs.templateSpecsRgLocation }}' - TemplateSpecsDescription = '${{ inputs.templateSpecsDescription }}' - ModuleVersion = $ModuleToPublish.Version - } + - name: 'Publish module to private bicep registry' + shell: pwsh + if: ${{ inputs.bicepRegistryDoPublish == 'true' }} + run: | + # Grouping task logs + Write-Output "::group::Publish module to private bicep registry" - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourcePublish' 'Get-ModulesToPublish.ps1') + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourcePublish' 'Publish-ModuleToPrivateBicepRegistry.ps1') - Publish-ModuleToTemplateSpec @functionInput -Verbose - } + $functionInput = @{ + TemplateFilePath = Join-Path $env:GITHUB_WORKSPACE "${{ inputs.templateFilePath }}" + } - Write-Output "::endgroup::" + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - name: 'Publish module to private bicep registry' - if: ${{ inputs.bicepRegistryDoPublish == 'true' }} - uses: azure/powershell@v1 - with: - azPSVersion: 'latest' - inlineScript: | - # Grouping task logs - Write-Output "::group::Publish module to private bicep registry" + # Get the modified child resources + $ModulesToPublish = Get-ModulesToPublish @functionInput -Verbose - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourcePublish' 'Get-ModulesToPublish.ps1') - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourcePublish' 'Publish-ModuleToPrivateBicepRegistry.ps1') + # Publish the modified child resources + foreach ($ModuleToPublish in $ModulesToPublish) { + $RelPath = (($ModuleToPublish.TemplateFilePath).Split('/arm/')[-1]).Split('/deploy.')[0] + Write-Output "::group::$(' - [{0}] [{1}]' -f $RelPath, $ModuleToPublish.Version)" $functionInput = @{ - TemplateFilePath = Join-Path $env:GITHUB_WORKSPACE "${{ inputs.templateFilePath }}" + TemplateFilePath = $ModuleToPublish.TemplateFilePath + BicepRegistryName = '${{ inputs.bicepRegistryName }}' + BicepRegistryRgName = '${{ inputs.bicepRegistryRgName }}' + BicepRegistryRgLocation = '${{ inputs.bicepRegistryRgLocation }}' + ModuleVersion = $ModuleToPublish.Version } Write-Verbose "Invoke task with" -Verbose Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - # Get the modified child resources - $ModulesToPublish = Get-ModulesToPublish @functionInput -Verbose + Publish-ModuleToPrivateBicepRegistry @functionInput -Verbose + } - # Publish the modified child resources - foreach ($ModuleToPublish in $ModulesToPublish) { - $RelPath = (($ModuleToPublish.TemplateFilePath).Split('/arm/')[-1]).Split('/deploy.')[0] - Write-Output "::group::$(' - [{0}] [{1}]' -f $RelPath, $ModuleToPublish.Version)" - - $functionInput = @{ - TemplateFilePath = $ModuleToPublish.TemplateFilePath - BicepRegistryName = '${{ inputs.bicepRegistryName }}' - BicepRegistryRgName = '${{ inputs.bicepRegistryRgName }}' - BicepRegistryRgLocation = '${{ inputs.bicepRegistryRgLocation }}' - ModuleVersion = $ModuleToPublish.Version - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Publish-ModuleToPrivateBicepRegistry @functionInput -Verbose - } - - Write-Output "::endgroup::" + Write-Output "::endgroup::" diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index 7d23efa771..3bd386f6f5 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -119,191 +119,183 @@ runs: # [Token replacement] task(s) # --------------------------- - name: 'Replace Parameter File Tokens [${{ inputs.parameterFilePath }}] ' - uses: azure/powershell@v1 - with: - azPSVersion: 'latest' - inlineScript: | - # Grouping task logs - Write-Output "::group::Replace Parameter File Tokens [${{ inputs.parameterFilePath }}]" - - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - - # Load Settings File - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable - - # Construct Token Function Input - $ConvertTokensInputs = @{ - Tokens = @{} - FilePath = '${{ inputs.parameterFilePath }}' - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } + shell: pwsh + run: | + # Grouping task logs + Write-Output "::group::Replace Parameter File Tokens [${{ inputs.parameterFilePath }}]" - # Local tokens - $ConvertTokensInputs.Tokens += @{ - resourceGroupName = '${{ inputs.resourceGroupName }}' - subscriptionId = '${{ inputs.subscriptionId }}' - managementGroupId = '${{ inputs.managementGroupId }}' - tenantId = '${{ env.ARM_TENANT_ID }}' - deploymentSpId = '${{ env.DEPLOYMENT_SP_ID }}' - } + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - # Add local tokens - if ($Settings.parameterFileTokens.localTokens) { - $tokenMap = @{} - foreach ($token in $Settings.parameterFileTokens.localTokens) { - $tokenMap += @{ $token.name = $token.value } - } - Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose - $ConvertTokensInputs.Tokens += $tokenMap - } + # Load Settings File + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable + + # Construct Token Function Input + $ConvertTokensInputs = @{ + Tokens = @{} + FilePath = '${{ inputs.parameterFilePath }}' + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + + # Local tokens + $ConvertTokensInputs.Tokens += @{ + resourceGroupName = '${{ inputs.resourceGroupName }}' + subscriptionId = '${{ inputs.subscriptionId }}' + managementGroupId = '${{ inputs.managementGroupId }}' + tenantId = '${{ env.ARM_TENANT_ID }}' + deploymentSpId = '${{ env.DEPLOYMENT_SP_ID }}' + } - # Add custom tokens (passed in via the pipeline) - if(-not [String]::IsNullOrEmpty('${{ inputs.customParameterFileTokens }}')) { - $customTokens = '${{ inputs.customParameterFileTokens }}' | ConvertFrom-Json -AsHashTable - Write-Verbose ('Using custom parameter file tokens [{0}]' -f ($customTokens.Keys -join ', ')) -Verbose - $ConvertTokensInputs.Tokens += $customTokens + # Add local tokens + if ($Settings.parameterFileTokens.localTokens) { + $tokenMap = @{} + foreach ($token in $Settings.parameterFileTokens.localTokens) { + $tokenMap += @{ $token.name = $token.value } } + Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose + $ConvertTokensInputs.Tokens += $tokenMap + } + + # Add custom tokens (passed in via the pipeline) + if(-not [String]::IsNullOrEmpty('${{ inputs.customParameterFileTokens }}')) { + $customTokens = '${{ inputs.customParameterFileTokens }}' | ConvertFrom-Json -AsHashTable + Write-Verbose ('Using custom parameter file tokens [{0}]' -f ($customTokens.Keys -join ', ')) -Verbose + $ConvertTokensInputs.Tokens += $customTokens + } - # Invoke Token Replacement Functionality - $null = Convert-TokensInFile @ConvertTokensInputs + # Invoke Token Replacement Functionality + $null = Convert-TokensInFile @ConvertTokensInputs - Write-Output "::endgroup::" + Write-Output "::endgroup::" # [Deployment validation] task(s) # ------------------------------- - name: 'Validate [${{ inputs.templateFilePath }}]' - uses: azure/powershell@v1 - with: - azPSVersion: 'latest' - inlineScript: | - # Grouping task logs - Write-Output "::group::Validate [${{ inputs.templateFilePath }}]" - - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourceDeployment' 'Test-TemplateDeployment.ps1') + shell: pwsh + run: | + # Grouping task logs + Write-Output "::group::Validate [${{ inputs.templateFilePath }}]" - # ----------- # - # INVOKE TEST # - # ----------- # - $functionInput = @{ - templateFilePath = '${{ inputs.templateFilePath }}' - location = '${{ inputs.location }}' - resourceGroupName = '${{ inputs.resourceGroupName }}' - subscriptionId = '${{ inputs.subscriptionId }}' - managementGroupId = '${{ inputs.managementGroupId }}' - additionalParameters = @{} - } + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourceDeployment' 'Test-TemplateDeployment.ps1') + + # ----------- # + # INVOKE TEST # + # ----------- # + $functionInput = @{ + templateFilePath = '${{ inputs.templateFilePath }}' + location = '${{ inputs.location }}' + resourceGroupName = '${{ inputs.resourceGroupName }}' + subscriptionId = '${{ inputs.subscriptionId }}' + managementGroupId = '${{ inputs.managementGroupId }}' + additionalParameters = @{} + } - if(-not [String]::IsNullOrEmpty('${{ inputs.parameterFilePath }}')) { - $functionInput['parameterFilePath'] = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.parameterFilePath }}' - } + if(-not [String]::IsNullOrEmpty('${{ inputs.parameterFilePath }}')) { + $functionInput['parameterFilePath'] = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.parameterFilePath }}' + } - $projectSettings = Get-Content -Path 'settings.json' | ConvertFrom-Json - if (-not [String]::IsNullOrEmpty($projectSettings.enableDefaultTelemetry) -and (Get-Content -Path $functionInput.templateFilePath -Raw) -like '*param enableDefaultTelemetry*') { - $functionInput['additionalParameters'] += @{ - enableDefaultTelemetry = $projectSettings.enableDefaultTelemetry - } - } + $projectSettings = Get-Content -Path 'settings.json' | ConvertFrom-Json + if (-not [String]::IsNullOrEmpty($projectSettings.enableDefaultTelemetry) -and (Get-Content -Path $functionInput.templateFilePath -Raw) -like '*param enableDefaultTelemetry*') { + $functionInput['additionalParameters'] += @{ + enableDefaultTelemetry = $projectSettings.enableDefaultTelemetry + } + } - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - Test-TemplateDeployment @functionInput -Verbose + Test-TemplateDeployment @functionInput -Verbose - Write-Output "::endgroup::" + Write-Output "::endgroup::" # [Deployment execution] task(s) # ------------------------------ - name: 'Deploy [${{ inputs.templateFilePath }}] with parameters [${{ inputs.parameterFilePath }}]' + shell: pwsh id: deploy_step - uses: azure/powershell@v1 - with: - azPSVersion: 'latest' - inlineScript: | - # Grouping task logs - Write-Output "::group::Deploy [${{ inputs.templateFilePath }}] with parameters [${{ inputs.parameterFilePath }}]" - - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourceDeployment' 'New-TemplateDeployment.ps1') + run: | + # Grouping task logs + Write-Output "::group::Deploy [${{ inputs.templateFilePath }}] with parameters [${{ inputs.parameterFilePath }}]" - $functionInput = @{ - templateFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.templateFilePath }}' - location = '${{ inputs.location }}' - resourceGroupName = '${{ inputs.resourceGroupName }}' - subscriptionId = '${{ inputs.subscriptionId }}' - managementGroupId = '${{ inputs.managementGroupId }}' - doNotThrow = $true - additionalParameters = @{} - } + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourceDeployment' 'New-TemplateDeployment.ps1') + + $functionInput = @{ + templateFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.templateFilePath }}' + location = '${{ inputs.location }}' + resourceGroupName = '${{ inputs.resourceGroupName }}' + subscriptionId = '${{ inputs.subscriptionId }}' + managementGroupId = '${{ inputs.managementGroupId }}' + doNotThrow = $true + additionalParameters = @{} + } - if(-not [String]::IsNullOrEmpty('${{ inputs.parameterFilePath }}')) { - $functionInput['parameterFilePath'] = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.parameterFilePath }}' - } + if(-not [String]::IsNullOrEmpty('${{ inputs.parameterFilePath }}')) { + $functionInput['parameterFilePath'] = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.parameterFilePath }}' + } - $projectSettings = Get-Content -Path 'settings.json' | ConvertFrom-Json - if (-not [String]::IsNullOrEmpty($projectSettings.enableDefaultTelemetry) -and (Get-Content -Path $functionInput.templateFilePath -Raw) -like '*param enableDefaultTelemetry*') { - $functionInput['additionalParameters'] += @{ - enableDefaultTelemetry = $projectSettings.enableDefaultTelemetry - } - } + $projectSettings = Get-Content -Path 'settings.json' | ConvertFrom-Json + if (-not [String]::IsNullOrEmpty($projectSettings.enableDefaultTelemetry) -and (Get-Content -Path $functionInput.templateFilePath -Raw) -like '*param enableDefaultTelemetry*') { + $functionInput['additionalParameters'] += @{ + enableDefaultTelemetry = $projectSettings.enableDefaultTelemetry + } + } - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - # Invoke deployment - $res = New-TemplateDeployment @functionInput -Verbose + # Invoke deployment + $res = New-TemplateDeployment @functionInput -Verbose - # Get deployment name - Write-Output ('::set-output name={0}::{1}' -f 'deploymentName', $res.deploymentName) + # Get deployment name + Write-Output ('::set-output name={0}::{1}' -f 'deploymentName', $res.deploymentName) - # Populate further outputs - $deploymentOutputHash=@{} + # Populate further outputs + $deploymentOutputHash=@{} - foreach ($outputKey in $res.deploymentOutput.Keys) { - Write-Output ('::set-output name={0}::{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) - $deploymentOutputHash.add($outputKey,$res.deploymentOutput[$outputKey].Value) - } + foreach ($outputKey in $res.deploymentOutput.Keys) { + Write-Output ('::set-output name={0}::{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) + $deploymentOutputHash.add($outputKey,$res.deploymentOutput[$outputKey].Value) + } - $deploymentOutput = $deploymentOutputHash | ConvertTo-Json -Compress -Depth 100 - Write-Verbose "Deployment output: $deploymentOutput" -Verbose - Write-Output ('::set-output name={0}::{1}' -f 'deploymentOutput', $deploymentOutput) + $deploymentOutput = $deploymentOutputHash | ConvertTo-Json -Compress -Depth 100 + Write-Verbose "Deployment output: $deploymentOutput" -Verbose + Write-Output ('::set-output name={0}::{1}' -f 'deploymentOutput', $deploymentOutput) - if ($res.ContainsKey('exception')) { - # Happens only if there is an exception - throw $res.exception - } + if ($res.ContainsKey('exception')) { + # Happens only if there is an exception + throw $res.exception + } - Write-Output "::endgroup::" + Write-Output "::endgroup::" # [Deployment removal] task(s) # ---------------------------- - name: 'Remove [${{ inputs.templateFilePath }}] from parameters [${{ inputs.parameterFilePath }}]' + shell: pwsh if: ${{ always() && inputs.removeDeployment == 'true' && steps.deploy_step.outputs.deploymentName != '' }} - uses: azure/powershell@v1 - with: - azPSVersion: 'latest' - inlineScript: | - # Grouping task logs - Write-Output "::group::Remove [${{ inputs.templateFilePath }}] from parameters [${{ inputs.parameterFilePath }}]" - - # Load used function - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourceRemoval' 'Initialize-DeploymentRemoval.ps1') - - if (-not [String]::IsNullOrEmpty('${{ steps.deploy_step.outputs.deploymentName }}')) { - $functionInput = @{ - DeploymentName = '${{ steps.deploy_step.outputs.deploymentName }}' - TemplateFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.templateFilePath }}' - ResourceGroupName = '${{ inputs.resourceGroupName }}' - ManagementGroupId = '${{ inputs.managementGroupId }}' - Verbose = $true - } + run: | + # Grouping task logs + Write-Output "::group::Remove [${{ inputs.templateFilePath }}] from parameters [${{ inputs.parameterFilePath }}]" - Write-Verbose 'Invoke task with' -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + # Load used function + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'resourceRemoval' 'Initialize-DeploymentRemoval.ps1') - Initialize-DeploymentRemoval @functionInput + if (-not [String]::IsNullOrEmpty('${{ steps.deploy_step.outputs.deploymentName }}')) { + $functionInput = @{ + DeploymentName = '${{ steps.deploy_step.outputs.deploymentName }}' + TemplateFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ inputs.templateFilePath }}' + ResourceGroupName = '${{ inputs.resourceGroupName }}' + ManagementGroupId = '${{ inputs.managementGroupId }}' + Verbose = $true } - Write-Output "::endgroup::" + Write-Verbose 'Invoke task with' -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Initialize-DeploymentRemoval @functionInput + } + + Write-Output "::endgroup::" diff --git a/.github/actions/templates/validateModulePester/action.yml b/.github/actions/templates/validateModulePester/action.yml index 2585707067..dd24a671db 100644 --- a/.github/actions/templates/validateModulePester/action.yml +++ b/.github/actions/templates/validateModulePester/action.yml @@ -52,7 +52,7 @@ runs: Write-Output "::endgroup::" - - name: 'Azure Login' + - name: Azure Login uses: Azure/login@v1 with: creds: ${{ env.AZURE_CREDENTIALS }} @@ -83,11 +83,11 @@ runs: if (-not [String]::IsNullOrEmpty('${{ env.ARM_MGMTGROUP_ID }}')) { $enforcedTokenList['managementGroupId'] = '${{ env.ARM_MGMTGROUP_ID }}' } - if (-not [String]::IsNullOrEmpty('${{ env.DEPLOYMENT_SP_ID }}')) { - $enforcedTokenList['deploymentSpId'] = '${{ env.DEPLOYMENT_SP_ID }}' - } if (-not [String]::IsNullOrEmpty('${{ env.ARM_TENANT_ID }}')) { - $enforcedTokenList['tenantId'] = '${{ env.ARM_TENANT_ID }}' + $enforcedTokenList['deploymentSpId'] = '${{ env.ARM_TENANT_ID }}' + } + if (-not [String]::IsNullOrEmpty('${{ env.DEPLOYMENT_SP_ID }}')) { + $enforcedTokenList['tenantId'] = '${{ env.DEPLOYMENT_SP_ID }}' } # --------------------- # @@ -100,6 +100,9 @@ runs: enforcedTokenList = $enforcedTokenList } } + Filter = @{ + ExcludeTag = 'ApiCheck' + } TestResult = @{ TestSuiteName = 'Global Module Tests' OutputPath = 'arm/.global/global-testResults.xml' @@ -111,8 +114,60 @@ runs: } } - - name: 'Publish Test Results' + Write-Output "::endgroup::" + + - name: Publish Test Results uses: EnricoMi/publish-unit-test-result-action@v1 + if: always() && !contains('cancelled,skipped', steps.pester_run_step.outcome) + with: + files: arm/.global/global-testResults.xml + + # [Module Pester Test] task(s) + #----------------------------- + - name: 'Run API tests via Pester' + id: pester_api_run_step if: always() + shell: pwsh + run: | + # Grouping task logs + Write-Output "::group::Run API tests via Pester" + + $moduleFolderPaths = @(Join-Path $env:GITHUB_WORKSPACE "${{ inputs.modulePath }}") + $moduleFolderPaths += (Get-ChildItem $moduleFolderPaths -Recurse -Directory -Force).FullName | Where-Object { + (Get-ChildItem $_ -File -Depth 0 -Include @('deploy.json', 'deploy.bicep') -Force).Count -gt 0 + } + Write-Verbose "Execute tests in path(s):" -Verbose + foreach($moduleFolderPath in $moduleFolderPaths) { + Write-Verbose "- [($moduleFolderPath]" -Verbose + } + + # --------------------- # + # Invoke Pester test(s) # + # --------------------- # + Invoke-Pester -Configuration @{ + Run = @{ + Container = New-PesterContainer -Path 'arm/.global/global.module.tests.ps1' -Data @{ + moduleFolderPaths = $moduleFolderPaths + } + } + Filter = @{ + Tag = 'ApiCheck' + } + TestResult = @{ + TestSuiteName = 'Global Module API Tests' + OutputPath = 'arm/.global/api-testResults.xml' + OutputFormat = 'JUnitXml' + Enabled = $true + } + Output = @{ + Verbosity = 'Detailed' + } + } + + Write-Output "::endgroup::" + + - name: Publish Test Results + uses: EnricoMi/publish-unit-test-result-action@v1 + if: always() && !contains('cancelled,skipped', steps.pester_api_run_step.outcome) with: - files: 'arm/.global/*-testResults.xml' + files: arm/.global/api-testResults.xml diff --git a/.github/workflows/ms.dataprotection.backupvaults.yml b/.github/workflows/ms.dataprotection.backupvaults.yml deleted file mode 100644 index 5f6b9fc845..0000000000 --- a/.github/workflows/ms.dataprotection.backupvaults.yml +++ /dev/null @@ -1,142 +0,0 @@ -name: "DataProtection: BackupVaults" - -on: - workflow_dispatch: - inputs: - removeDeployment: - type: boolean - description: "Remove deployed module" - required: false - default: true - prerelease: - type: boolean - description: "Publish prerelease module" - required: false - default: false - push: - branches: - - main - paths: - - ".github/actions/templates/**" - - ".github/workflows/ms.dataprotection.backupvaults.yml" - - "arm/Microsoft.DataProtection/backupVaults/**" - - "arm/.global/global.module.tests.ps1" - - "!*/**/readme.md" - - "utilities/pipelines/**" - - "!utilities/pipelines/dependencies/**" - -env: - variablesPath: "global.variables.yml" - modulePath: "arm/Microsoft.DataProtection/backupVaults" - workflowPath: ".github/workflows/ms.dataprotection.backupvaults.yml" - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: "${{ secrets.ARM_SUBSCRIPTION_ID }}" - ARM_MGMTGROUP_ID: "${{ secrets.ARM_MGMTGROUP_ID }}" - ARM_TENANT_ID: "${{ secrets.ARM_TENANT_ID }}" - DEPLOYMENT_SP_ID: "${{ secrets.DEPLOYMENT_SP_ID }}" - -jobs: - ########################### - # Initialize pipeline # - ########################### - job_initialize_pipeline: - runs-on: ubuntu-20.04 - name: "Initialize pipeline" - steps: - - name: "Checkout" - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: "Set input parameters to output variables" - id: get-workflow-param - uses: ./.github/actions/templates/getWorkflowInput - with: - workflowPath: "${{ env.workflowPath}}" - - name: "Get parameter file paths" - id: get-parameter-file-paths - uses: ./.github/actions/templates/getParameterFiles - with: - modulePath: "${{ env.modulePath }}" - outputs: - removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} - parameterFilePaths: ${{ steps.get-parameter-file-paths.outputs.parameterFilePaths }} - - ######################### - # Static validation # - ######################### - job_module_pester_validation: - runs-on: ubuntu-20.04 - name: "Static validation" - steps: - - name: "Checkout" - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: "Run tests" - uses: ./.github/actions/templates/validateModulePester - with: - modulePath: "${{ env.modulePath }}" - - ############################# - # Deployment validation # - ############################# - job_module_deploy_validation: - runs-on: ubuntu-20.04 - name: "Deployment validation" - needs: - - job_initialize_pipeline - - job_module_pester_validation - strategy: - fail-fast: false - matrix: - parameterFilePaths: ${{ fromJSON(needs.job_initialize_pipeline.outputs.parameterFilePaths) }} - steps: - - name: "Checkout" - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: ./.github/actions/templates/setEnvironmentVariables - with: - variablesPath: ${{ env.variablesPath }} - - name: "Using parameter file [${{ matrix.parameterFilePaths }}]" - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: "${{ env.modulePath }}/deploy.bicep" - parameterFilePath: "${{ env.modulePath }}/${{ matrix.parameterFilePaths }}" - location: "${{ env.location }}" - resourceGroupName: "${{ env.resourceGroupName }}" - subscriptionId: "${{ secrets.ARM_SUBSCRIPTION_ID }}" - managementGroupId: "${{ secrets.ARM_MGMTGROUP_ID }}" - removeDeployment: "${{ needs.job_initialize_pipeline.outputs.removeDeployment }}" - - ################## - # Publishing # - ################## - job_publish_module: - name: "Publishing" - if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' - runs-on: ubuntu-20.04 - needs: - - job_module_deploy_validation - steps: - - name: "Checkout" - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: ./.github/actions/templates/setEnvironmentVariables - with: - variablesPath: ${{ env.variablesPath }} - - name: "Publishing" - uses: ./.github/actions/templates/publishModule - with: - templateFilePath: "${{ env.modulePath }}/deploy.bicep" - templateSpecsRGName: "${{ env.templateSpecsRGName }}" - templateSpecsRGLocation: "${{ env.templateSpecsRGLocation }}" - templateSpecsDescription: "${{ env.templateSpecsDescription }}" - templateSpecsDoPublish: "${{ env.templateSpecsDoPublish }}" - bicepRegistryName: "${{ env.bicepRegistryName }}" - bicepRegistryRGName: "${{ env.bicepRegistryRGName }}" - bicepRegistryRgLocation: "${{ env.bicepRegistryRgLocation }}" - bicepRegistryDoPublish: "${{ env.bicepRegistryDoPublish }}" diff --git a/.github/workflows/ms.managedservices.registrationdefinitions.yml b/.github/workflows/ms.managedservices.registrationdefinitions.yml index 174cdf5a4d..73cdc76d09 100644 --- a/.github/workflows/ms.managedservices.registrationdefinitions.yml +++ b/.github/workflows/ms.managedservices.registrationdefinitions.yml @@ -7,7 +7,7 @@ on: type: boolean description: 'Remove deployed module' required: false - default: true + default: false # Needs a custom removal script prerelease: type: boolean description: 'Publish prerelease module' diff --git a/.github/workflows/ms.operationsmanagement.solutions.yml b/.github/workflows/ms.operationsmanagement.solutions.yml deleted file mode 100644 index db74fec086..0000000000 --- a/.github/workflows/ms.operationsmanagement.solutions.yml +++ /dev/null @@ -1,142 +0,0 @@ -name: 'OperationsManagement: Solutions' - -on: - workflow_dispatch: - inputs: - removeDeployment: - type: boolean - description: 'Remove deployed module' - required: false - default: true - prerelease: - type: boolean - description: 'Publish prerelease module' - required: false - default: false - push: - branches: - - main - paths: - - '.github/actions/templates/**' - - '.github/workflows/ms.operationsmanagement.solutions.yml' - - 'arm/Microsoft.OperationsManagement/solutions/**' - - 'arm/.global/global.module.tests.ps1' - - '!*/**/readme.md' - - 'utilities/pipelines/**' - - '!utilities/pipelines/dependencies/**' - -env: - variablesPath: 'global.variables.yml' - modulePath: 'arm/Microsoft.OperationsManagement/solutions' - workflowPath: '.github/workflows/ms.operationsmanagement.solutions.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' - DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' - -jobs: - ########################### - # Initialize pipeline # - ########################### - job_initialize_pipeline: - runs-on: ubuntu-20.04 - name: 'Initialize pipeline' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Set input parameters to output variables' - id: get-workflow-param - uses: ./.github/actions/templates/getWorkflowInput - with: - workflowPath: '${{ env.workflowPath}}' - - name: 'Get parameter file paths' - id: get-parameter-file-paths - uses: ./.github/actions/templates/getParameterFiles - with: - modulePath: '${{ env.modulePath }}' - outputs: - removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} - parameterFilePaths: ${{ steps.get-parameter-file-paths.outputs.parameterFilePaths }} - - ######################### - # Static validation # - ######################### - job_module_pester_validation: - runs-on: ubuntu-20.04 - name: 'Static validation' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Run tests' - uses: ./.github/actions/templates/validateModulePester - with: - modulePath: '${{ env.modulePath }}' - - ############################# - # Deployment validation # - ############################# - job_module_deploy_validation: - runs-on: ubuntu-20.04 - name: 'Deployment validation' - needs: - - job_initialize_pipeline - - job_module_pester_validation - strategy: - fail-fast: false - matrix: - parameterFilePaths: ${{ fromJSON(needs.job_initialize_pipeline.outputs.parameterFilePaths) }} - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: ./.github/actions/templates/setEnvironmentVariables - with: - variablesPath: ${{ env.variablesPath }} - - name: 'Using parameter file [${{ matrix.parameterFilePaths }}]' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' - location: '${{ env.location }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' - - ################## - # Publishing # - ################## - job_publish_module: - name: 'Publishing' - if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' - runs-on: ubuntu-20.04 - needs: - - job_module_deploy_validation - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: ./.github/actions/templates/setEnvironmentVariables - with: - variablesPath: ${{ env.variablesPath }} - - name: 'Publishing' - uses: ./.github/actions/templates/publishModule - with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - templateSpecsRGName: '${{ env.templateSpecsRGName }}' - templateSpecsRGLocation: '${{ env.templateSpecsRGLocation }}' - templateSpecsDescription: '${{ env.templateSpecsDescription }}' - templateSpecsDoPublish: '${{ env.templateSpecsDoPublish }}' - bicepRegistryName: '${{ env.bicepRegistryName }}' - bicepRegistryRGName: '${{ env.bicepRegistryRGName }}' - bicepRegistryRgLocation: '${{ env.bicepRegistryRgLocation }}' - bicepRegistryDoPublish: '${{ env.bicepRegistryDoPublish }}' diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 400fc2281e..fb76c5b845 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -49,7 +49,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -77,7 +76,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -107,7 +105,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' id: deploy_msi uses: ./.github/actions/templates/validateModuleDeployment @@ -119,7 +116,6 @@ jobs: subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - - name: Set msi principal ID output id: print_msi_prinId uses: azure/powershell@v1 @@ -147,7 +143,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -175,7 +170,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -203,7 +197,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -231,7 +224,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -254,13 +246,12 @@ jobs: fail-fast: false matrix: parameterFilePaths: - ['appi.parameters.json', 'aut.parameters.json', 'sol.parameters.json', 'parameters.json'] + ['appi.parameters.json', 'aut.parameters.json', 'parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -289,7 +280,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -313,7 +303,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Setup agent' shell: pwsh run: | @@ -327,13 +316,11 @@ jobs: # Set agent up Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} enable-AzPSSession: true - - name: Run PowerShell uses: azure/powershell@v1 with: @@ -397,7 +384,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -430,7 +416,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' id: deploy_imgt uses: ./.github/actions/templates/validateModuleDeployment @@ -442,7 +427,6 @@ jobs: subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - - name: 'Set image template output' id: print_imgt_output uses: azure/powershell@v1 @@ -472,7 +456,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Setup agent' shell: pwsh run: | @@ -487,13 +470,11 @@ jobs: # Set agent up Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} enable-AzPSSession: true - - name: 'Trigger building new image' uses: azure/powershell@v1 with: @@ -505,7 +486,6 @@ jobs: Write-Verbose "Trigger new image creation with imageTemplateName $imageTemplateName and imageTemplateResourceGroup $imageTemplateResourceGroup" -Verbose Start-AzImageBuilderTemplate -ImageTemplateName $imageTemplateName -ResourceGroupName $imageTemplateResourceGroup azPSVersion: 'latest' - - name: 'Copy baked vhd to a storage account' uses: azure/powershell@v1 with: @@ -594,7 +574,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -622,7 +601,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -650,7 +628,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -679,7 +656,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -716,7 +692,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -747,7 +722,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -775,7 +749,6 @@ jobs: [ 'apgw.parameters.json', 'bas.parameters.json', - 'bas.additional.parameters.json', 'lb.parameters.json', 'lb.min.parameters.json', 'fw.parameters.json', @@ -786,7 +759,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -816,7 +788,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -846,7 +817,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -876,7 +846,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -907,7 +876,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -940,7 +908,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -966,7 +933,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Setup agent' shell: pwsh run: | @@ -980,13 +946,11 @@ jobs: # Set agent up Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} enable-AzPSSession: true - - name: 'Set key vault secrets keys and certificates' uses: azure/powershell@v1 with: @@ -1120,7 +1084,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -1146,7 +1109,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Setup agent' shell: pwsh run: | @@ -1166,7 +1128,6 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} enable-AzPSSession: true - - name: 'Set sqlmi key vault secrets and keys' uses: azure/powershell@v1 with: @@ -1242,7 +1203,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -1270,7 +1230,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -1304,9 +1263,6 @@ jobs: '8.aadds.parameters.json', '9.azfw.parameters.json', '10.azfw.parameters.json', - '11.azfw.parameters.json', - '12.bastion.parameters.json', - '13.bastion.parameters.json', 'parameters.json' ] steps: @@ -1314,7 +1270,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -1344,7 +1299,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -1372,7 +1326,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -1402,7 +1355,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -1430,7 +1382,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: diff --git a/.github/workflows/platform.issueAssignment.yml b/.github/workflows/platform.issueAssignment.yml deleted file mode 100644 index a2defd3017..0000000000 --- a/.github/workflows/platform.issueAssignment.yml +++ /dev/null @@ -1,32 +0,0 @@ -# Add new issues to the corrrect project -name: '.Platform: Assign Issues to Projects' - -on: - workflow_dispatch: - issues: - types: - - opened - -env: - GITHUB_TOKEN: ${{ github.token }} - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - add-to-project: - name: Add Issues to Projects - runs-on: ubuntu-latest - steps: - - name: Add Bug to Bug Board - uses: srggrs/assign-one-project-github-action@1.2.1 - if: | - contains(github.event.issue.labels.*.name, 'bug') - with: - project: https://github.com/Azure/ResourceModules/projects/4 - column_name: 'Needs triage' - - name: Add Issues to Backlog Board - uses: srggrs/assign-one-project-github-action@1.2.1 - if: | - contains(github.event.issue.labels.*.name, 'enhancement') - with: - project: https://github.com/Azure/ResourceModules/projects/5 - column_name: 'Needs triage' diff --git a/README.md b/README.md index 46a3d2602e..407176a7d7 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,6 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | [Container Instances](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ContainerInstance/containerGroups) | [!['ContainerInstance: ContainerGroups'](https://github.com/Azure/ResourceModules/workflows/ContainerInstance:%20ContainerGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerinstance.containergroups.yml) | | [Container Registries](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ContainerRegistry/registries) | [!['ContainerRegistry: Registries'](https://github.com/Azure/ResourceModules/workflows/ContainerRegistry:%20Registries/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerregistry.registries.yml) | | [Data Factories](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DataFactory/factories) | [!['DataFactory: Factories'](https://github.com/Azure/ResourceModules/workflows/DataFactory:%20Factories/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.datafactory.factories.yml) | -| [DataProtection BackupVaults](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DataProtection/backupVaults) | [![DataProtection: BackupVaults](https://github.com/Azure/ResourceModules/workflows/DataProtection:%20BackupVaults/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.dataprotection.backupvaults.yml) | | [DDoS Protection Plans](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/ddosProtectionPlans) | [!['Network: DdosProtectionPlans'](https://github.com/Azure/ResourceModules/workflows/Network:%20DdosProtectionPlans/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.ddosprotectionplans.yml) | | [Deployment Scripts](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Resources/deploymentScripts) | [!['Resources: DeploymentScripts'](https://github.com/Azure/ResourceModules/workflows/Resources:%20DeploymentScripts/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.resources.deploymentscripts.yml) | | [Disk Encryption Sets](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Compute/diskEncryptionSets) | [!['Compute: DiskEncryptionSets'](https://github.com/Azure/ResourceModules/workflows/Compute:%20DiskEncryptionSets/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.diskencryptionsets.yml) | @@ -93,7 +92,6 @@ The CI environment supports both ARM and Bicep and can be leveraged using GitHub | [Network Interface](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkInterfaces) | [!['Network: NetworkInterfaces'](https://github.com/Azure/ResourceModules/workflows/Network:%20NetworkInterfaces/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkinterfaces.yml) | | [Network Security Groups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkSecurityGroups) | [!['Network: NetworkSecurityGroups'](https://github.com/Azure/ResourceModules/workflows/Network:%20NetworkSecurityGroups/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | | [Network Watchers](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkWatchers) | [!['Network: NetworkWatchers'](https://github.com/Azure/ResourceModules/workflows/Network:%20NetworkWatchers/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatchers.yml) | -| [OperationsManagement Solutions](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.OperationsManagement/solutions) | [!['OperationsManagement: Solutions'](https://github.com/Azure/ResourceModules/workflows/OperationsManagement:%20Solutions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.operationsmanagement.solutions.yml) | | [Policy Assignments](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Authorization/policyAssignments) | [!['Authorization: PolicyAssignments'](https://github.com/Azure/ResourceModules/workflows/Authorization:%20PolicyAssignments/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | | [Policy Definitions](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Authorization/policyDefinitions) | [!['Authorization: PolicyDefinitions'](https://github.com/Azure/ResourceModules/workflows/Authorization:%20PolicyDefinitions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policydefinitions.yml) | | [Policy Exemptions](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Authorization/policyExemptions) | [!['Authorization: PolicyExemptions'](https://github.com/Azure/ResourceModules/workflows/Authorization:%20PolicyExemptions/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyexemptions.yml) | diff --git a/arm/.global/global.module.tests.ps1 b/arm/.global/global.module.tests.ps1 index 049c61f1fa..15ae9e6c5b 100644 --- a/arm/.global/global.module.tests.ps1 +++ b/arm/.global/global.module.tests.ps1 @@ -23,11 +23,6 @@ $script:enforcedTokenList = $enforcedTokenList # For runtime purposes, we cache the compiled template in a hashtable that uses a formatted relative module path as a key $script:convertedTemplates = @{} -# Shared exception messages -$script:bicepTemplateCompilationFailedException = "Unable to compile the deploy.bicep template's content. This can happen if there is an error in the template. Please check if you can run the command `az bicep build --file {0} --stdout | ConvertFrom-Json -AsHashtable`." # -f $templateFilePath -$script:jsonTemplateLoadFailedException = "Unable to load the deploy.json template's content. This can happen if there is an error in the template. Please check if you can run the command `Get-Content {0} -Raw | ConvertFrom-Json -AsHashtable`." # -f $templateFilePath -$script:templateNotFoundException = 'No template file found in folder [{0}]' # -f $moduleFolderPath - # Import any helper function used in this test script Import-Module (Join-Path $PSScriptRoot 'shared\helper.psm1') -Force @@ -75,7 +70,6 @@ Describe 'File/folder tests' -Tag Modules { } It '[] Module should contain a [deploy.json/deploy.bicep] file' -TestCases $moduleFolderTestCases { - param( [string] $moduleFolderPath ) $hasARM = (Test-Path (Join-Path -Path $moduleFolderPath 'deploy.json')) @@ -84,19 +78,16 @@ Describe 'File/folder tests' -Tag Modules { } It '[] Module should contain a [readme.md] file' -TestCases $moduleFolderTestCases { - param( [string] $moduleFolderPath ) (Test-Path (Join-Path -Path $moduleFolderPath 'readme.md')) | Should -Be $true } It '[] Module should contain a [.parameters] folder' -TestCases ($moduleFolderTestCases | Where-Object { $_.isTopLevelModule }) { - param( [string] $moduleFolderPath ) Test-Path (Join-Path -Path $moduleFolderPath '.parameters') | Should -Be $true } It '[] Module should contain a [version.json] file' -TestCases $moduleFolderTestCases { - param( [string] $moduleFolderPath ) (Test-Path (Join-Path -Path $moduleFolderPath 'version.json')) | Should -Be $true } @@ -106,7 +97,7 @@ Describe 'File/folder tests' -Tag Modules { $folderTestCases = [System.Collections.ArrayList]@() foreach ($moduleFolderPath in $moduleFolderPaths) { - if (Test-Path (Join-Path $moduleFolderPath '.parameters')) { + if (Test-Path (Join-Path $moduleFolderPath '.paramateres')) { $folderTestCases += @{ moduleFolderName = $moduleFolderPath.Replace('\', '/').Split('/arm/')[1] moduleFolderPath = $moduleFolderPath @@ -115,9 +106,8 @@ Describe 'File/folder tests' -Tag Modules { } It '[] folder should contain one or more *parameters.json files' -TestCases $folderTestCases { - param( - [string] $moduleFolderName, + $moduleFolderName, $moduleFolderPath ) $parameterFolderPath = Join-Path $moduleFolderPath '.parameters' @@ -138,9 +128,8 @@ Describe 'File/folder tests' -Tag Modules { } It '[] *parameters.json files in the .parameters folder should be valid json' -TestCases $parameterFolderFilesTestCases { - param( - [string] $moduleFolderName, + $moduleFolderName, $parameterFilePath ) (Get-Content $parameterFilePath) | ConvertFrom-Json @@ -160,20 +149,12 @@ Describe 'Readme tests' -Tag Readme { if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { if (Test-Path (Join-Path $moduleFolderPath 'deploy.bicep')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.bicep' - $templateContent = az bicep build --file $templateFilePath --stdout --no-restore | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($bicepTemplateCompilationFailedException -f $templateFilePath) - } + $templateContent = az bicep build --file $templateFilePath --stdout | ConvertFrom-Json -AsHashtable } elseIf (Test-Path (Join-Path $moduleFolderPath 'deploy.json')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.json' $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($jsonTemplateLoadFailedException -f $templateFilePath) - } } else { - throw ($templateNotFoundException -f $moduleFolderPath) + throw "No template file found in folder [$moduleFolderPath]" } $convertedTemplates[$moduleFolderPathKey] = @{ templateFilePath = $templateFilePath @@ -191,57 +172,64 @@ Describe 'Readme tests' -Tag Readme { templateFilePath = $templateFilePath readMeFilePath = Join-Path -Path $moduleFolderPath 'readme.md' readMeContent = Get-Content (Join-Path -Path $moduleFolderPath 'readme.md') - isTopLevelModule = $moduleFolderPath.Replace('\', '/').Split('/arm/')[1].Split('/').Count -eq 2 # / } } It '[] Readme.md file should not be empty' -TestCases $readmeFolderTestCases { - param( - [string] $moduleFolderName, - [object[]] $readMeContent + $moduleFolderName, + $readMeContent ) $readMeContent | Should -Not -Be $null } - It '[] Readme.md file should contain these sections in order: Navigation, Resource Types, Parameters, Outputs, Deployment examples' -TestCases $readmeFolderTestCases { - + It '[] Readme.md file should contain the these titles in order: Resource Types, Parameters, Outputs' -TestCases $readmeFolderTestCases { param( - [string] $moduleFolderName, - [object[]] $readMeContent, - [boolean] $isTopLevelModule + $moduleFolderName, + $readMeContent ) - $expectedHeadersInOrder = @('Navigation', 'Resource types', 'Parameters', 'Outputs') + $ReadmeHTML = ($readMeContent | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html - if ($isTopLevelModule) { - # Only top-level modules have parameter files and hence deployment examples - $expectedHeadersInOrder += 'Deployment examples' + $Heading2Order = @('Resource Types', 'parameters', 'Outputs') + $Headings2List = @() + foreach ($H in $ReadmeHTML) { + if ($H.Contains('') + 1 + $EndIndex = $H.LastIndexof('<') + $headings2List += ($H.Substring($StartingIndex, $EndIndex - $StartingIndex)) + } } - $actualHeadersInOrder = $readMeContent | Where-Object { $_ -like '#*' } | ForEach-Object { ($_ -replace '#', '').TrimStart() } - - $filteredActuals = $actualHeadersInOrder | Where-Object { $expectedHeadersInOrder -contains $_ } - - $missingHeaders = $expectedHeadersInOrder | Where-Object { $actualHeadersInOrder -notcontains $_ } - $missingHeaders.Count | Should -Be 0 -Because ('the list of missing headers [{0}] should be empty' -f ($missingHeaders -join ',')) - - $filteredActuals | Should -Be $expectedHeadersInOrder -Because 'the headers should exist in the expected order' + $differentiatingItems = $Heading2Order | Where-Object { $Headings2List -notcontains $_ } + $differentiatingItems.Count | Should -Be 0 -Because ('list of heading titles missing in the ReadMe file [{0}] should be empty' -f ($differentiatingItems -join ',')) } It '[] Resources section should contain all resources from the template file' -TestCases $readmeFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent + $moduleFolderName, + $templateContent, + $readMeContent ) # Get ReadMe data - $tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Resource Types' + $resourcesSectionStartIndex = 0 + while ($readMeContent[$resourcesSectionStartIndex] -notlike '*# Resource Types' -and -not ($resourcesSectionStartIndex -ge $readMeContent.count)) { + $resourcesSectionStartIndex++ + } + + $resourcesTableStartIndex = $resourcesSectionStartIndex + 1 + while ($readMeContent[$resourcesTableStartIndex] -notlike '*|*' -and -not ($resourcesTableStartIndex -ge $readMeContent.count)) { + $resourcesTableStartIndex++ + } + + $resourcesTableEndIndex = $resourcesTableStartIndex + 2 + while ($readMeContent[$resourcesTableEndIndex] -like '|*' -and -not ($resourcesTableEndIndex -ge $readMeContent.count)) { + $resourcesTableEndIndex++ + } $ReadMeResourcesList = [System.Collections.ArrayList]@() - for ($index = $tableStartIndex + 2; $index -lt $tableEndIndex; $index++) { + for ($index = $resourcesTableStartIndex + 2; $index -lt $resourcesTableEndIndex; $index++) { $ReadMeResourcesList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() } @@ -254,19 +242,31 @@ Describe 'Readme tests' -Tag Readme { $differentiatingItems.Count | Should -Be 0 -Because ("list of template resources missing from the ReadMe's list [{0}] should be empty" -f ($differentiatingItems -join ',')) } - It '[] Resources section should not contain more resources than the template file' -TestCases $readmeFolderTestCases { - + It '[] Resources section should not contain more resources as in the template file' -TestCases $readmeFolderTestCases { param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent + $moduleFolderName, + $templateContent, + $readMeContent ) # Get ReadMe data - $tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Resource Types' + $resourcesSectionStartIndex = 0 + while ($readMeContent[$resourcesSectionStartIndex] -notlike '*# Resource Types' -and -not ($resourcesSectionStartIndex -ge $readMeContent.count)) { + $resourcesSectionStartIndex++ + } + + $resourcesTableStartIndex = $resourcesSectionStartIndex + 1 + while ($readMeContent[$resourcesTableStartIndex] -notlike '*|*' -and -not ($resourcesTableStartIndex -ge $readMeContent.count)) { + $resourcesTableStartIndex++ + } + + $resourcesTableEndIndex = $resourcesTableStartIndex + 2 + while ($readMeContent[$resourcesTableEndIndex] -like '|*' -and -not ($resourcesTableEndIndex -ge $readMeContent.count)) { + $resourcesTableEndIndex++ + } $ReadMeResourcesList = [System.Collections.ArrayList]@() - for ($index = $tableStartIndex + 2; $index -lt $tableEndIndex; $index++) { + for ($index = $resourcesTableStartIndex + 2; $index -lt $resourcesTableEndIndex; $index++) { $ReadMeResourcesList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() } @@ -279,70 +279,40 @@ Describe 'Readme tests' -Tag Readme { $differentiatingItems.Count | Should -Be 0 -Because ("list of resources in the ReadMe's list [{0}] not in the template file should be empty" -f ($differentiatingItems -join ',')) } - It '[] Parameters section should contain a table for each existing parameter category in the following order: Required, Conditional, Optional, Generated' -TestCases $readmeFolderTestCases { - + It '[] parameters section should contain a table with these column names in order: Parameter Name, Type, Default Value, Possible values, Description' -TestCases $readmeFolderTestCases { param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent - ) - - $expectColumnsInOrder = @('Required', 'Conditional', 'Optional', 'Generated') - - ## Get all descriptions - $descriptions = $templateContent.parameters.Values.metadata.description - - ## Get the module parameter categories - $expectedParamCategories = $descriptions | ForEach-Object { $_.Split('.')[0] } | Select-Object -Unique # Get categories in template - $expectedParamCategoriesInOrder = $expectColumnsInOrder | Where-Object { $_ -in $expectedParamCategories } # add required ones in order - $expectedParamCategoriesInOrder += $expectedParamCategories | Where-Object { $_ -notin $expectColumnsInOrder } # add non-required ones after - - $actualParamCategories = $readMeContent | Select-String -Pattern '^\*\*(.+) parameters\*\*$' -AllMatches | ForEach-Object { $_.Matches.Groups[1].Value } # get actual in readme - - $actualParamCategories | Should -Be $expectedParamCategoriesInOrder - } - - It '[] parameter tables should provide columns in the following order: Parameter Name, Type, Default Value, Allowed Values, Description. Each column should be present unless empty for all the rows.' -TestCases $readmeFolderTestCases { - - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent + $moduleFolderName, + $readMeContent ) - ## Get all descriptions - $descriptions = $templateContent.parameters.Values.metadata.description - - ## Get the module parameter categories - $paramCategories = $descriptions | ForEach-Object { $_.Split('.')[0] } | Select-Object -Unique - - foreach ($paramCategory in $paramCategories) { - - # Filter to relevant items - [array] $categoryParameters = $templateContent.parameters.Values | Where-Object { $_.metadata.description -like "$paramCategory. *" } | Sort-Object -Property 'Name' -Culture 'en-US' - - # Check properties for later reference - $shouldHaveDefault = $categoryParameters.defaultValue.count -gt 0 - $shouldHaveAllowed = $categoryParameters.allowedValues.count -gt 0 - - $expectedColumnsInOrder = @('Parameter Name', 'Type') - if ($shouldHaveDefault) { $expectedColumnsInOrder += @('Default Value') } - if ($shouldHaveAllowed) { $expectedColumnsInOrder += @('Allowed Values') } - $expectedColumnsInOrder += @('Description') - - $readMeCategoryIndex = $readMeContent | Select-String -Pattern "^\*\*$paramCategory parameters\*\*$" | ForEach-Object { $_.LineNumber } - $readmeCategoryColumns = ($readMeContent[$readMeCategoryIndex] -split '\|') | ForEach-Object { $_.Trim() } | Where-Object { -not [String]::IsNullOrEmpty($_) } - - $readmeCategoryColumns | Should -Be $expectedColumnsInOrder + $ReadmeHTML = ($readMeContent | ConvertFrom-Markdown -ErrorAction SilentlyContinue).Html + $ParameterHeadingOrder = @('Parameter Name', 'Type', 'Default Value', 'Allowed Values', 'Description') + $ComparisonFlag = 0 + $Headings = @(@()) + foreach ($H in $ReadmeHTML) { + if ($H.Contains('') + 1 + $EndIndex = $H.LastIndexof('<') + $Headings += , (@($H.Substring($StartingIndex, $EndIndex - $StartingIndex), $ReadmeHTML.IndexOf($H))) + } } + $HeadingIndex = $Headings | Where-Object { $_ -eq 'parameters' } + if ($HeadingIndex -eq $null) { + Write-Verbose "[parameters section should contain a table with these column names in order: Parameter Name, Type, Default Value, Possible values, Description] Error At ($moduleFolderName)" -Verbose + $true | Should -Be $false + } + $ParameterHeadingsList = $ReadmeHTML[$HeadingIndex[1] + 2].Replace('

|', '').Replace('|

', '').Split('|').Trim() + if (Compare-Object -ReferenceObject $ParameterHeadingOrder -DifferenceObject $ParameterHeadingsList -SyncWindow 0) { + $ComparisonFlag = $ComparisonFlag + 1 + } + ($ComparisonFlag -gt 2) | Should -Be $false } - It '[] Parameters section should contain all parameters from the template file' -TestCases $readmeFolderTestCases { - + It '[] parameters section should contain all parameters from the template file' -TestCases $readmeFolderTestCases { param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent + $moduleFolderName, + $templateContent, + $readMeContent ) # Get Template data @@ -350,17 +320,26 @@ Describe 'Readme tests' -Tag Readme { # Get ReadMe data ## Get section start index - $sectionStartIndex = Get-MarkdownSectionStartIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Parameters' + $parametersSectionStartIndex = 0 + while ($readMeContent[$parametersSectionStartIndex] -notlike '*# Parameters' -and -not ($parametersSectionStartIndex -ge $readMeContent.count)) { + $parametersSectionStartIndex++ + } + Write-Verbose ("Start row of the parameters section in the readme: $parametersSectionStartIndex") - if ($sectionStartIndex -ge $readMeContent.count) { + if ($parametersSectionStartIndex -ge $readMeContent.count) { throw 'Parameters section is missing in the Readme. Please add and re-run the tests.' } - $parametersSectionEndIndex = Get-MarkdownSectionEndIndex -ReadMeContent $readMeContent -SectionStartIndex $sectionStartIndex + ## Get section end index + $parametersSectionEndIndex = $parametersSectionStartIndex + 1 + while ($readMeContent[$parametersSectionEndIndex] -notlike '*# *' -and -not ($parametersSectionEndIndex -ge $readMeContent.count)) { + $parametersSectionEndIndex++ + } + Write-Verbose ("End row of the parameters section in the readme: $parametersSectionEndIndex") ## Iterate over all parameter tables $parametersList = [System.Collections.ArrayList]@() - $sectionIndex = $sectionStartIndex + $sectionIndex = $parametersSectionStartIndex while ($sectionIndex -lt $parametersSectionEndIndex) { ### Get table start index $parametersTableStartIndex = $sectionIndex @@ -388,15 +367,23 @@ Describe 'Readme tests' -Tag Readme { } It '[] Outputs section should contain a table with these column names in order: Output Name, Type' -TestCases $readmeFolderTestCases { - param( - [string] $moduleFolderName, + $moduleFolderName, $readMeContent ) - $tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Outputs' + # Get ReadMe data + $outputsSectionStartIndex = 0 + while ($readMeContent[$outputsSectionStartIndex] -notlike '*# Outputs' -and -not ($outputsSectionStartIndex -ge $readMeContent.count)) { + $outputsSectionStartIndex++ + } + + $outputsTableStartIndex = $outputsSectionStartIndex + 1 + while ($readMeContent[$outputsTableStartIndex] -notlike '*|*' -and -not ($outputsTableStartIndex -ge $readMeContent.count)) { + $outputsTableStartIndex++ + } - $outputsTableHeader = $readMeContent[$tableStartIndex].Split('|').Trim() | Where-Object { -not [String]::IsNullOrEmpty($_) } + $outputsTableHeader = $readMeContent[$outputsTableStartIndex].Split('|').Trim() | Where-Object { -not [String]::IsNullOrEmpty($_) } # Test $expectedOutputsTableOrder = @('Output Name', 'Type') @@ -405,34 +392,45 @@ Describe 'Readme tests' -Tag Readme { } It '[] Output section should contain all outputs defined in the template file' -TestCases $readmeFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - [object[]] $readMeContent + $moduleFolderName, + $templateContent, + $readMeContent ) # Get ReadMe data - $tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent $readMeContent -MarkdownSectionIdentifier '*# Outputs' + $outputsSectionStartIndex = 0 + while ($readMeContent[$outputsSectionStartIndex] -notlike '*# Outputs' -and -not ($outputsSectionStartIndex -ge $readMeContent.count)) { + $outputsSectionStartIndex++ + } + + $outputsTableStartIndex = $outputsSectionStartIndex + 1 + while ($readMeContent[$outputsTableStartIndex] -notlike '*|*' -and -not ($outputsTableStartIndex -ge $readMeContent.count)) { + $outputsTableStartIndex++ + } - $ReadMeOutputsList = [System.Collections.ArrayList]@() - for ($index = $tableStartIndex + 2; $index -lt $tableEndIndex; $index++) { - $ReadMeOutputsList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() + $outputsTableEndIndex = $outputsTableStartIndex + 2 + while ($readMeContent[$outputsTableEndIndex] -like '|*' -and -not ($outputsTableEndIndex -ge $readMeContent.count)) { + $outputsTableEndIndex++ + } + + $ReadMeoutputsList = [System.Collections.ArrayList]@() + for ($index = $outputsTableStartIndex + 2; $index -lt $outputsTableEndIndex; $index++) { + $ReadMeoutputsList += $readMeContent[$index].Split('|')[1].Replace('`', '').Trim() } # Template data $expectedOutputs = $templateContent.outputs.Keys # Test - $differentiatingItems = $expectedOutputs | Where-Object { $ReadMeOutputsList -notcontains $_ } + $differentiatingItems = $expectedOutputs | Where-Object { $ReadMeoutputsList -notcontains $_ } $differentiatingItems.Count | Should -Be 0 -Because ('list of template outputs missing in the ReadMe file [{0}] should be empty' -f ($differentiatingItems -join ',')) - $differentiatingItems = $ReadMeOutputsList | Where-Object { $expectedOutputs -notcontains $_ } + $differentiatingItems = $ReadMeoutputsList | Where-Object { $expectedOutputs -notcontains $_ } $differentiatingItems.Count | Should -Be 0 -Because ('list of excess template outputs defined in the ReadMe file [{0}] should be empty' -f ($differentiatingItems -join ',')) } It '[] Set-ModuleReadMe script should not apply any updates' -TestCases $readmeFolderTestCases { - param( [string] $moduleFolderName, [string] $templateFilePath, @@ -453,12 +451,7 @@ Describe 'Readme tests' -Tag Readme { $fileHashAfter = (Get-FileHash $readMeFilePath).Hash # Compare - $filesAreTheSame = $fileHashBefore -eq $fileHashAfter - if (-not $filesAreTheSame) { - $diffReponse = git diff - Write-Warning ($diffReponse | Out-String) -Verbose - } - $filesAreTheSame | Should -Be $true -Because 'The file hashes before and after applying the Set-ModuleReadMe function should be identical' + $fileHashBefore -eq $fileHashAfter | Should -Be $true -Because 'The file hashes before and after applying the Set-ModuleReadMe function should be identical' } } } @@ -475,20 +468,12 @@ Describe 'Deployment template tests' -Tag Template { if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { if (Test-Path (Join-Path $moduleFolderPath 'deploy.bicep')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.bicep' - $templateContent = az bicep build --file $templateFilePath --stdout --no-restore | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($bicepTemplateCompilationFailedException -f $templateFilePath) - } + $templateContent = az bicep build --file $templateFilePath --stdout | ConvertFrom-Json -AsHashtable } elseIf (Test-Path (Join-Path $moduleFolderPath 'deploy.json')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.json' $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($jsonTemplateLoadFailedException -f $templateFilePath) - } } else { - throw ($templateNotFoundException -f $moduleFolderPath) + throw "No template file found in folder [$moduleFolderPath]" } $convertedTemplates[$moduleFolderPathKey] = @{ templateFilePath = $templateFilePath @@ -530,10 +515,9 @@ Describe 'Deployment template tests' -Tag Template { } It '[] the template file should not be empty' -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) $templateContent | Should -Not -Be $null } @@ -542,8 +526,8 @@ Describe 'Deployment template tests' -Tag Template { # the actual value changes depending on the scope of the template (RG, subscription, MG, tenant) !! # https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-syntax param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) $Schemaverion = $templateContent.'$schema' @@ -564,10 +548,9 @@ Describe 'Deployment template tests' -Tag Template { } It '[] Template schema should use HTTPS reference' -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) $Schemaverion = $templateContent.'$schema' ($Schemaverion.Substring(0, 5) -eq 'https') | Should -Be $true @@ -576,8 +559,8 @@ Describe 'Deployment template tests' -Tag Template { It '[] All apiVersion properties should be set to a static, hard-coded value' -TestCases $deploymentFolderTestCases { #https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-best-practices param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) $ApiVersion = $templateContent.resources.apiVersion $ApiVersionArray = @() @@ -599,37 +582,34 @@ Describe 'Deployment template tests' -Tag Template { } It '[] the template file should contain required elements: schema, contentVersion, resources' -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) $templateContent.Keys | Should -Contain '$schema' $templateContent.Keys | Should -Contain 'contentVersion' $templateContent.Keys | Should -Contain 'resources' } - It '[] If delete lock is implemented, the template should have a lock parameter with the default value of ['''']' -TestCases $deploymentFolderTestCases { - + It '[] If delete lock is implemented, the template should have a lock parameter with the default value of [NotSpecified]' -TestCases $deploymentFolderTestCases { param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) if ($lock = $templateContent.parameters.lock) { $lock.Keys | Should -Contain 'defaultValue' - $lock.defaultValue | Should -Be '' + $lock.defaultValue | Should -Be 'NotSpecified' } } It '[] Parameter names should be camel-cased (no dashes or underscores and must start with lower-case letter)' -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) if (-not $templateContent.parameters) { - Set-ItResult -Skipped -Because 'the module template has no parameters.' + # Skip test return } @@ -646,14 +626,13 @@ Describe 'Deployment template tests' -Tag Template { } It '[] Variable names should be camel-cased (no dashes or underscores and must start with lower-case letter)' -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) if (-not $templateContent.variables) { - Set-ItResult -Skipped -Because 'the module template has no variables.' + # Skip test return } @@ -671,10 +650,9 @@ Describe 'Deployment template tests' -Tag Template { } It '[] Output names should be camel-cased (no dashes or underscores and must start with lower-case letter)' -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) $CamelCasingFlag = @() $Outputs = $templateContent.outputs.Keys @@ -690,10 +668,9 @@ Describe 'Deployment template tests' -Tag Template { } It '[] CUA ID deployment should be present in the template' -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) $enableDefaultTelemetryFlag = @() $Schemaverion = $templateContent.'$schema' @@ -708,10 +685,9 @@ Describe 'Deployment template tests' -Tag Template { } It "[] The Location should be defined as a parameter, with the default value of 'resourceGroup().Location' or global for ResourceGroup deployment scope" -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) $LocationFlag = $true $Schemaverion = $templateContent.'$schema' @@ -734,7 +710,7 @@ Describe 'Deployment template tests' -Tag Template { param( [string] $moduleFolderName, - [hashtable] $templateContent, + $templateContent, [string] $templateFilePath ) @@ -756,7 +732,7 @@ Describe 'Deployment template tests' -Tag Template { param( [string] $moduleFolderName, - [hashtable] $templateContent, + $templateContent, [string] $templateFilePath ) @@ -769,54 +745,33 @@ Describe 'Deployment template tests' -Tag Template { } It '[] Resource name output should exist' -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - $templateFilePath + $moduleFolderName, + $templateContent ) - # check if module contains a 'primary' resource we could draw a name from - $moduleResourceType = (Split-Path (($templateFilePath -replace '\\', '/') -split '/arm/')[1] -Parent) -replace '\\', '/' - if ($templateContent.resources.type -notcontains $moduleResourceType) { - Set-ItResult -Skipped -Because 'the module template has no primary resource to fetch a name from.' - return - } - - # Otherwise test for standard outputs $outputs = $templateContent.outputs.Keys $outputs | Should -Contain 'name' } It '[] Resource ID output should exist' -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent, - $templateFilePath + $moduleFolderName, + $templateContent ) - # check if module contains a 'primary' resource we could draw a name from - $moduleResourceType = (Split-Path (($templateFilePath -replace '\\', '/') -split '/arm/')[1] -Parent) -replace '\\', '/' - if ($templateContent.resources.type -notcontains $moduleResourceType) { - Set-ItResult -Skipped -Because 'the module template has no primary resource to fetch a resource ID from.' - return - } - - # Otherwise test for standard outputs $outputs = $templateContent.outputs.Keys $outputs | Should -Contain 'resourceId' } It "[] parameters' description should start with a one word category starting with a capital letter, followed by a dot, a space and the actual description text ending with a dot." -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) if (-not $templateContent.parameters) { - Set-ItResult -Skipped -Because 'the module template has no parameters.' + # Skip test return } @@ -832,14 +787,13 @@ Describe 'Deployment template tests' -Tag Template { } It "[] Conditional parameters' description should contain 'Required if' followed by the condition making the parameter required." -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) if (-not $templateContent.parameters) { - Set-ItResult -Skipped -Because 'the module template has no parameters.' + # Skip test return } @@ -847,8 +801,10 @@ Describe 'Deployment template tests' -Tag Template { $templateParameters = $templateContent.parameters.Keys foreach ($parameter in $templateParameters) { $data = ($templateContent.parameters.$parameter.metadata).description - switch -regex ($data) { - '^Conditional. .*' { + switch -regex ($data) + { + '^Conditional. .*' + { if ($data -notmatch '.*\. Required if .*') { $incorrectParameters += $parameter } @@ -859,14 +815,13 @@ Describe 'Deployment template tests' -Tag Template { } It "[] outputs' description should start with a capital letter and contain text ending with a dot." -TestCases $deploymentFolderTestCases { - param( - [string] $moduleFolderName, - [hashtable] $templateContent + $moduleFolderName, + $templateContent ) if (-not $templateContent.outputs) { - Set-ItResult -Skipped -Because 'the module template has no outputs.' + # Skip test return } @@ -958,7 +913,7 @@ Describe "API version tests [All apiVersions in the template should be 'recent'] $testCases = @() $ApiVersions = Get-AzResourceProvider -ListAvailable - foreach ($moduleFolderPath in $moduleFolderPaths) { + foreach ($moduleFolderPath in $moduleFolderPathsFiltered) { $moduleFolderName = $moduleFolderPath.Replace('\', '/').Split('/arm/')[1] @@ -967,20 +922,12 @@ Describe "API version tests [All apiVersions in the template should be 'recent'] if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { if (Test-Path (Join-Path $moduleFolderPath 'deploy.bicep')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.bicep' - $templateContent = az bicep build --file $templateFilePath --stdout --no-restore | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($bicepTemplateCompilationFailedException -f $templateFilePath) - } + $templateContent = az bicep build --file $templateFilePath --stdout | ConvertFrom-Json -AsHashtable } elseIf (Test-Path (Join-Path $moduleFolderPath 'deploy.json')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.json' $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable - - if (-not $templateContent) { - throw ($jsonTemplateLoadFailedException -f $templateFilePath) - } } else { - throw ($templateNotFoundException -f $moduleFolderPath) + throw "No template file found in folder [$moduleFolderPath]" } $convertedTemplates[$moduleFolderPathKey] = @{ templateFilePath = $templateFilePath @@ -1054,13 +1001,12 @@ Describe "API version tests [All apiVersions in the template should be 'recent'] } It 'In [] used resource type [] should use one of the recent API version(s). Currently using []' -TestCases $TestCases { - param( - [string] $moduleName, - [string] $resourceType, - [string] $TargetApi, - [string] $ProviderNamespace, - [object[]] $AvailableApiVersions + $moduleName, + $resourceType, + $TargetApi, + $ProviderNamespace, + $AvailableApiVersions ) $namespaceResourceTypes = ($AvailableApiVersions | Where-Object { $_.ProviderNamespace -eq $ProviderNamespace }).ResourceTypes diff --git a/arm/.global/shared/helper.psm1 b/arm/.global/shared/helper.psm1 index f7102aae44..a1a368d6af 100644 --- a/arm/.global/shared/helper.psm1 +++ b/arm/.global/shared/helper.psm1 @@ -1,129 +1,5 @@ -############################## -# Load general functions # -############################## +# Load used functions $repoRootPath = (Get-Item $PSScriptRoot).Parent.Parent.Parent.FullName . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-NestedResourceList.ps1') . (Join-Path $repoRootPath 'utilities' 'pipelines' 'sharedScripts' 'Get-ScopeOfTemplateFile.ps1') - -#################################### -# Load test-specific functions # -#################################### - -<# -.SYNOPSIS -Get the index of a header in a given markdown array - -.DESCRIPTION -Get the index of a header in a given markdown array - -.PARAMETER ReadMeContent -Required. The content to search in - -.PARAMETER MarkdownSectionIdentifier -Required. The header to search for. For example '*# Parameters' - -.EXAMPLE -Get-MarkdownSectionStartIndex -ReadMeContent @('# Parameters', 'other content') -MarkdownSectionIdentifier '*# Parameters' - -Get the index of the '# Parameters' header in the given markdown array @('# Parameters', 'other content') -#> -function Get-MarkdownSectionStartIndex { - - [CmdletBinding()] - param ( - [Parameter(Mandatory = $true)] - [array] $ReadMeContent, - - [Parameter(Mandatory = $true)] - [string] $MarkdownSectionIdentifier - ) - - $sectionStartIndex = 0 - while ($ReadMeContent[$sectionStartIndex] -notlike $MarkdownSectionIdentifier -and -not ($sectionStartIndex -ge $ReadMeContent.count)) { - $sectionStartIndex++ - } - - return $sectionStartIndex -} - -<# -.SYNOPSIS -Get the last index of a section in a given markdown array - -.DESCRIPTION -Get the last index of a section in a given markdown array. The end of a section is identified by the start of a new header. - -.PARAMETER ReadMeContent -Required. The content to search in - -.PARAMETER SectionStartIndex -Required. The index where the section starts - -.EXAMPLE -Get-MarkdownSectionEndIndex -ReadMeContent @('somrthing', '# Parameters', 'other content', '# Other header') -SectionStartIndex 2 - -Search for the end index of the section starting in index 2 in array @('somrthing', '# Parameters', 'other content', '# Other header'). Would return 3. -#> -function Get-MarkdownSectionEndIndex { - - [CmdletBinding()] - param ( - [Parameter(Mandatory = $true)] - [array] $ReadMeContent, - - [Parameter(Mandatory = $true)] - [int] $SectionStartIndex - ) - - $sectionEndIndex = $sectionStartIndex + 1 - while ($readMeContent[$sectionEndIndex] -notlike '*# *' -and -not ($sectionEndIndex -ge $ReadMeContent.count)) { - $sectionEndIndex++ - } - - return $sectionEndIndex -} - -<# -.SYNOPSIS -Get the start & end index of a table in a given markdown section, indentified by a header - -.DESCRIPTION -Get the start & end index of a table in a given markdown section, indentified by a header. - -.PARAMETER ReadMeContent -Required. The content to search in - -.PARAMETER MarkdownSectionIdentifier -Required. The header of the section containing the table to search for. For example '*# Parameters' - -.EXAMPLE -$tableStartIndex, $tableEndIndex = Get-TableStartAndEndIndex -ReadMeContent @('# Parameters', '| a | b |', '| - | - |', '| 1 | 2 |', 'other content') -MarkdownSectionIdentifier '*# Parameters' - -Get the start & end index of the table in section '# Parameters' in the given ReadMe content. Would return @(1,3) -#> -function Get-TableStartAndEndIndex { - - [CmdletBinding()] - param ( - [Parameter(Mandatory = $true)] - [array] $ReadMeContent, - - [Parameter(Mandatory = $true)] - [string] $MarkdownSectionIdentifier - ) - - $sectionStartIndex = Get-MarkdownSectionStartIndex -ReadMeContent $ReadMeContent -MarkdownSectionIdentifier $MarkdownSectionIdentifier - - $tableStartIndex = $sectionStartIndex + 1 - while ($readMeContent[$tableStartIndex] -notlike '*|*' -and -not ($tableStartIndex -ge $readMeContent.count)) { - $tableStartIndex++ - } - - $tableEndIndex = $tableStartIndex + 2 - while ($readMeContent[$tableEndIndex] -like '|*' -and -not ($tableEndIndex -ge $readMeContent.count)) { - $tableEndIndex++ - } - - return $tableStartIndex, $tableEndIndex -} diff --git a/arm/Microsoft.AAD/DomainServices/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.AAD/DomainServices/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.AAD/DomainServices/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.AAD/DomainServices/.bicep/nested_rbac.bicep index 4e34d1e5d3..2cf7e56e41 100644 --- a/arm/Microsoft.AAD/DomainServices/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.AAD/DomainServices/.bicep/nested_rbac.bicep @@ -64,7 +64,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: AzureADDS }] diff --git a/arm/Microsoft.AAD/DomainServices/.parameters/parameters.json b/arm/Microsoft.AAD/DomainServices/.parameters/parameters.json index 6166d322e2..78d6988768 100644 --- a/arm/Microsoft.AAD/DomainServices/.parameters/parameters.json +++ b/arm/Microsoft.AAD/DomainServices/.parameters/parameters.json @@ -8,9 +8,6 @@ "sku": { "value": "Standard" }, - "lock": { - "value": "CanNotDelete" - }, "replicaSets": { "value": [ { @@ -51,6 +48,9 @@ }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" + }, + "lock": { + "value": "NotSpecified" } } } diff --git a/arm/Microsoft.AAD/DomainServices/deploy.bicep b/arm/Microsoft.AAD/DomainServices/deploy.bicep index 677eea59fa..b8b482446d 100644 --- a/arm/Microsoft.AAD/DomainServices/deploy.bicep +++ b/arm/Microsoft.AAD/DomainServices/deploy.bicep @@ -132,12 +132,12 @@ param diagnosticLogsRetentionInDays int = 365 param enableDefaultTelemetry bool = true @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -220,7 +220,7 @@ resource domainService 'Microsoft.AAD/DomainServices@2021-05-01' = { } resource domainService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: '${domainService.name}-diagnosticSettings' + name: '${domainName}-diagnosticSettings' properties: { storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null @@ -231,16 +231,16 @@ resource domainService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings scope: domainService } -resource domainService_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${domainService.name}-${lock}-lock' +resource domainService_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${domainName}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: domainService } -module domainService_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module domainService_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-VNet-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.AAD/DomainServices/readme.md b/arm/Microsoft.AAD/DomainServices/readme.md index 32b06fe225..365422662a 100644 --- a/arm/Microsoft.AAD/DomainServices/readme.md +++ b/arm/Microsoft.AAD/DomainServices/readme.md @@ -49,7 +49,7 @@ This template deploys Azure Active Directory Domain Services (AADDS). | `kerberosRc4Encryption` | string | `'Enabled'` | `[Enabled, Disabled]` | The value is to enable Kerberos requests that use RC4 encryption. | | `ldaps` | string | `'Enabled'` | `[Enabled, Disabled]` | A flag to determine whether or not Secure LDAP is enabled or disabled. | | `location` | string | `[resourceGroup().location]` | | The location to deploy the Azure ADDS Services. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `logsToEnable` | array | `[SystemSecurity, AccountManagement, LogonLogoff, ObjectAccess, PolicyChange, PrivilegeUse, DetailTracking, DirectoryServiceAccess, AccountLogon]` | `[SystemSecurity, AccountManagement, LogonLogoff, ObjectAccess, PolicyChange, PrivilegeUse, DetailTracking, DirectoryServiceAccess, AccountLogon]` | The name of logs that will be streamed. | | `name` | string | `[parameters('domainName')]` | | The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. | | `notifyDcAdmins` | string | `'Enabled'` | `[Enabled, Disabled]` | The value is to notify the DC Admins. | @@ -224,9 +224,6 @@ $pfxCertificate = [System.Convert]::ToBase64String($rawCertByteStream) "sku": { "value": "Standard" }, - "lock": { - "value": "CanNotDelete" - }, "replicaSets": { "value": [ { @@ -267,6 +264,9 @@ $pfxCertificate = [System.Convert]::ToBase64String($rawCertByteStream) }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" + }, + "lock": { + "value": "NotSpecified" } } } @@ -290,15 +290,44 @@ module DomainServices './Microsoft.AAD/DomainServices/deploy.bicep' = { params: { domainName: '<>.onmicrosoft.com' sku: 'Standard' - lock: 'CanNotDelete' replicaSets: [ { location: 'WestEurope' subnetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-aadds-001/subnets/AADDSSubnet' } ] - pfxCertificate: kv1.getSecret('pfxBase64Certificate') - pfxCertificatePassword: kv1.getSecret('pfxCertificatePassword') + pfxCertificate: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'pfxBase64Certificate' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] + pfxCertificatePassword: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'pfxCertificatePassword' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] additionalRecipients: [ '<>@noreply.github.com' ] @@ -306,6 +335,7 @@ module DomainServices './Microsoft.AAD/DomainServices/deploy.bicep' = { diagnosticStorageAccountId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' diagnosticEventHubName: 'adp-<>-az-evh-x-001' + lock: 'NotSpecified' } ``` diff --git a/arm/Microsoft.AnalysisServices/servers/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.AnalysisServices/servers/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.AnalysisServices/servers/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.AnalysisServices/servers/.bicep/nested_rbac.bicep index 5325be4d3d..31d503447d 100644 --- a/arm/Microsoft.AnalysisServices/servers/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.AnalysisServices/servers/.bicep/nested_rbac.bicep @@ -47,7 +47,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: server }] diff --git a/arm/Microsoft.AnalysisServices/servers/.parameters/max.parameters.json b/arm/Microsoft.AnalysisServices/servers/.parameters/max.parameters.json index 54abf71cc2..eafaffd74d 100644 --- a/arm/Microsoft.AnalysisServices/servers/.parameters/max.parameters.json +++ b/arm/Microsoft.AnalysisServices/servers/.parameters/max.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>azasweumax001" }, - "lock": { - "value": "CanNotDelete" - }, "skuName": { "value": "S0" }, @@ -41,6 +38,9 @@ "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" }, + "lock": { + "value": "NotSpecified" + }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.AnalysisServices/servers/.parameters/parameters.json b/arm/Microsoft.AnalysisServices/servers/.parameters/parameters.json index 592ffff258..e2e01dcad7 100644 --- a/arm/Microsoft.AnalysisServices/servers/.parameters/parameters.json +++ b/arm/Microsoft.AnalysisServices/servers/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>azasweux001" }, - "lock": { - "value": "CanNotDelete" - }, "skuName": { "value": "S0" }, diff --git a/arm/Microsoft.AnalysisServices/servers/deploy.bicep b/arm/Microsoft.AnalysisServices/servers/deploy.bicep index 299d482632..728a95e5c7 100644 --- a/arm/Microsoft.AnalysisServices/servers/deploy.bicep +++ b/arm/Microsoft.AnalysisServices/servers/deploy.bicep @@ -40,12 +40,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -121,11 +121,11 @@ resource server 'Microsoft.AnalysisServices/servers@2017-08-01' = { } } -resource server_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource server_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${server.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: server } @@ -143,7 +143,7 @@ resource server_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-0 scope: server } -module server_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module server_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AnServicesServer-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.AnalysisServices/servers/readme.md b/arm/Microsoft.AnalysisServices/servers/readme.md index 87388fcc40..2038c59b33 100644 --- a/arm/Microsoft.AnalysisServices/servers/readme.md +++ b/arm/Microsoft.AnalysisServices/servers/readme.md @@ -39,7 +39,7 @@ This module deploys an Analysis Services Server. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `firewallSettings` | object | `{object}` | | The inbound firewall rules to define on the server. If not specified, firewall is disabled. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `skuCapacity` | int | `1` | | The total number of query replica scale-out instances. | | `skuName` | string | `'S0'` | | The SKU name of the Azure Analysis Services server to create. | @@ -171,9 +171,6 @@ roleAssignments: [ "name": { "value": "<>azasweumax001" }, - "lock": { - "value": "CanNotDelete" - }, "skuName": { "value": "S0" }, @@ -207,6 +204,9 @@ roleAssignments: [ "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" }, + "lock": { + "value": "NotSpecified" + }, "roleAssignments": { "value": [ { @@ -244,7 +244,6 @@ module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = { name: '${uniqueString(deployment().name)}-servers' params: { name: '<>azasweumax001' - lock: 'CanNotDelete' skuName: 'S0' skuCapacity: 1 firewallSettings: { @@ -262,6 +261,7 @@ module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = { diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' diagnosticEventHubName: 'adp-<>-az-evh-x-001' + lock: 'NotSpecified' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' @@ -333,9 +333,6 @@ module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = { "name": { "value": "<>azasweux001" }, - "lock": { - "value": "CanNotDelete" - }, "skuName": { "value": "S0" }, @@ -380,7 +377,6 @@ module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = { name: '${uniqueString(deployment().name)}-servers' params: { name: '<>azasweux001' - lock: 'CanNotDelete' skuName: 'S0' roleAssignments: [ { diff --git a/arm/Microsoft.ApiManagement/service/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.ApiManagement/service/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.ApiManagement/service/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.ApiManagement/service/.bicep/nested_rbac.bicep index 1679432ec9..cc5bd88ad9 100644 --- a/arm/Microsoft.ApiManagement/service/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.ApiManagement/service/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: service }] diff --git a/arm/Microsoft.ApiManagement/service/.parameters/max.parameters.json b/arm/Microsoft.ApiManagement/service/.parameters/max.parameters.json index f760ecf1d4..6e0aa4c385 100644 --- a/arm/Microsoft.ApiManagement/service/.parameters/max.parameters.json +++ b/arm/Microsoft.ApiManagement/service/.parameters/max.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-apim-max-001" }, - "lock": { - "value": "CanNotDelete" - }, "publisherEmail": { "value": "apimgmt-noreply@mail.windowsazure.com" }, diff --git a/arm/Microsoft.ApiManagement/service/.parameters/parameters.json b/arm/Microsoft.ApiManagement/service/.parameters/parameters.json index 8f73097f17..4cf5e8349e 100644 --- a/arm/Microsoft.ApiManagement/service/.parameters/parameters.json +++ b/arm/Microsoft.ApiManagement/service/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-apim-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "publisherEmail": { "value": "apimgmt-noreply@mail.windowsazure.com" }, diff --git a/arm/Microsoft.ApiManagement/service/apis/deploy.bicep b/arm/Microsoft.ApiManagement/service/apis/deploy.bicep index 067e1731ea..97b557c374 100644 --- a/arm/Microsoft.ApiManagement/service/apis/deploy.bicep +++ b/arm/Microsoft.ApiManagement/service/apis/deploy.bicep @@ -94,7 +94,7 @@ param value string = '' @description('Optional. Criteria to limit import of WSDL to a subset of the document.') param wsdlSelector object = {} -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -146,7 +146,7 @@ module policy 'policies/deploy.bicep' = [for (policy, index) in policies: { apiName: api.name format: contains(policy, 'format') ? policy.format : 'xml' value: policy.value - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.ApiManagement/service/deploy.bicep b/arm/Microsoft.ApiManagement/service/deploy.bicep index 9ac435f3a8..29dc9381fd 100644 --- a/arm/Microsoft.ApiManagement/service/deploy.bicep +++ b/arm/Microsoft.ApiManagement/service/deploy.bicep @@ -47,12 +47,12 @@ param userAssignedIdentities object = {} param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Limit control plane API calls to API Management service with version equal to or newer than this value.') param minApiVersion string = '' @@ -153,7 +153,7 @@ param subscriptions array = [] @description('Optional. The name of the diagnostic setting, if deployed.') param diagnosticSettingsName string = '${name}-diagnosticSettings' -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { category: category @@ -248,7 +248,7 @@ module apis_resource 'apis/deploy.bicep' = [for (api, index) in apis: { type: contains(api, 'type') ? api.type : 'http' value: contains(api, 'value') ? api.value : '' wsdlSelector: contains(api, 'wsdlSelector') ? api.wsdlSelector : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ apiVersionSet_resource @@ -261,7 +261,7 @@ module apiVersionSet_resource 'apiVersionSets/deploy.bicep' = [for (apiVersionSe apiManagementServiceName: apiManagementService.name name: apiVersionSet.name properties: contains(apiVersionSet, 'properties') ? apiVersionSet.properties : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -292,7 +292,7 @@ module authorizationServers_resource '.bicep/nested_authorizationServers.bicep' supportState: contains(authorizationServer, 'supportState') ? authorizationServer.supportState : false tokenBodyParameters: contains(authorizationServer, 'tokenBodyParameters') ? authorizationServer.tokenBodyParameters : [] tokenEndpoint: contains(authorizationServer, 'tokenEndpoint') ? authorizationServer.tokenEndpoint : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -313,7 +313,7 @@ module backends_resource 'backends/deploy.bicep' = [for (backend, index) in back validateCertificateChain: false validateCertificateName: false } - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -326,7 +326,7 @@ module caches_resource 'caches/deploy.bicep' = [for (cache, index) in caches: { name: cache.name resourceId: contains(cache, 'resourceId') ? cache.resourceId : '' useFromLocation: cache.useFromLocation - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -346,7 +346,7 @@ module identityProvider_resource 'identityProviders/deploy.bicep' = [for (identi identityProviderSignInTenant: contains(identityProvider, 'identityProviderSignInTenant') ? identityProvider.identityProviderSignInTenant : '' identityProviderSignUpPolicyName: contains(identityProvider, 'identityProviderSignUpPolicyName') ? identityProvider.identityProviderSignUpPolicyName : '' identityProviderType: contains(identityProvider, 'identityProviderType') ? identityProvider.identityProviderType : 'aad' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -360,7 +360,7 @@ module namedValues_resource 'namedValues/deploy.bicep' = [for (namedValue, index namedValueTags: contains(namedValue, 'namedValueTags') ? namedValue.namedValueTags : [] secret: contains(namedValue, 'secret') ? namedValue.secret : false value: contains(namedValue, 'value') ? namedValue.value : newGuidValue - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -370,7 +370,7 @@ module portalSettings_resource 'portalsettings/deploy.bicep' = [for (portalSetti apiManagementServiceName: apiManagementService.name name: portalSetting.name properties: contains(portalSetting, 'properties') ? portalSetting.properties : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -380,7 +380,7 @@ module policy_resource 'policies/deploy.bicep' = [for (policy, index) in policie apiManagementServiceName: apiManagementService.name value: policy.value format: contains(policy, 'format') ? policy.format : 'xml' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -397,7 +397,7 @@ module products_resource 'products/deploy.bicep' = [for (product, index) in prod subscriptionRequired: contains(product, 'subscriptionRequired') ? product.subscriptionRequired : false subscriptionsLimit: contains(product, 'subscriptionsLimit') ? product.subscriptionsLimit : 1 terms: contains(product, 'terms') ? product.terms : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ apis_resource @@ -415,14 +415,14 @@ module subscriptions_resource 'subscriptions/deploy.bicep' = [for (subscription, scope: contains(subscription, 'scope') ? subscription.scope : '/apis' secondaryKey: contains(subscription, 'secondaryKey') ? subscription.secondaryKey : '' state: contains(subscription, 'state') ? subscription.state : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource apiManagementService_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource apiManagementService_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${apiManagementService.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: apiManagementService @@ -441,7 +441,7 @@ resource apiManagementService_diagnosticSettings 'Microsoft.Insights/diagnosticS scope: apiManagementService } -module apiManagementService_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module apiManagementService_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Apim-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.ApiManagement/service/products/deploy.bicep b/arm/Microsoft.ApiManagement/service/products/deploy.bicep index 835db80954..d4f493b70d 100644 --- a/arm/Microsoft.ApiManagement/service/products/deploy.bicep +++ b/arm/Microsoft.ApiManagement/service/products/deploy.bicep @@ -31,7 +31,7 @@ param subscriptionsLimit int = 1 @description('Optional. Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process.') param terms string = '' -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -69,7 +69,7 @@ module product_apis 'apis/deploy.bicep' = [for (api, index) in apis: { apiManagementServiceName: apiManagementServiceName name: api.name productName: name - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -79,7 +79,7 @@ module product_groups 'groups/deploy.bicep' = [for (group, index) in groups: { apiManagementServiceName: apiManagementServiceName name: group.name productName: name - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.ApiManagement/service/readme.md b/arm/Microsoft.ApiManagement/service/readme.md index 6b9b86880c..bf00e3947c 100644 --- a/arm/Microsoft.ApiManagement/service/readme.md +++ b/arm/Microsoft.ApiManagement/service/readme.md @@ -67,7 +67,7 @@ This module deploys an API management service. | `hostnameConfigurations` | array | `[]` | | Custom hostname configuration of the API Management service. | | `identityProviders` | _[identityProviders](identityProviders/readme.md)_ array | `[]` | | Identity providers. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `minApiVersion` | string | `''` | | Limit control plane API calls to API Management service with version equal to or newer than this value. | | `namedValues` | _[namedValues](namedValues/readme.md)_ array | `[]` | | Named values. | | `newGuidValue` | string | `[newGuid()]` | | Necessary to create a new GUID. | @@ -282,9 +282,6 @@ userAssignedIdentities: { "name": { "value": "<>-az-apim-max-001" }, - "lock": { - "value": "CanNotDelete" - }, "publisherEmail": { "value": "apimgmt-noreply@mail.windowsazure.com" }, @@ -466,7 +463,6 @@ module service './Microsoft.ApiManagement/service/deploy.bicep' = { name: '${uniqueString(deployment().name)}-service' params: { name: '<>-az-apim-max-001' - lock: 'CanNotDelete' publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' publisherName: '<>-az-amorg-x-001' apis: [ @@ -655,9 +651,6 @@ module service './Microsoft.ApiManagement/service/deploy.bicep' = { "name": { "value": "<>-az-apim-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "publisherEmail": { "value": "apimgmt-noreply@mail.windowsazure.com" }, @@ -718,7 +711,6 @@ module service './Microsoft.ApiManagement/service/deploy.bicep' = { name: '${uniqueString(deployment().name)}-service' params: { name: '<>-az-apim-x-001' - lock: 'CanNotDelete' publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' publisherName: '<>-az-amorg-x-001' portalSettings: [ diff --git a/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..0e3f625a39 --- /dev/null +++ b/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,49 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint.name}/default' + properties: { + privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { + name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) + properties: { + privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] + } + }] + } +} diff --git a/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_rbac.bicep index 18eec47fac..1a65e573d0 100644 --- a/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: appConfiguration }] diff --git a/arm/Microsoft.AppConfiguration/configurationStores/.parameters/parameters.json b/arm/Microsoft.AppConfiguration/configurationStores/.parameters/parameters.json index 5d1889a5b8..a1bdb8cac9 100644 --- a/arm/Microsoft.AppConfiguration/configurationStores/.parameters/parameters.json +++ b/arm/Microsoft.AppConfiguration/configurationStores/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-appcs-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "diagnosticLogsRetentionInDays": { "value": 7 }, diff --git a/arm/Microsoft.AppConfiguration/configurationStores/deploy.bicep b/arm/Microsoft.AppConfiguration/configurationStores/deploy.bicep index 7efaf96b42..17aad36691 100644 --- a/arm/Microsoft.AppConfiguration/configurationStores/deploy.bicep +++ b/arm/Microsoft.AppConfiguration/configurationStores/deploy.bicep @@ -60,12 +60,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -100,8 +100,6 @@ param diagnosticSettingsName string = '${name}-diagnosticSettings' @description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] -var enableReferencedModulesTelemetry = false - var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { category: category enabled: true @@ -140,7 +138,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' = { +resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' = { name: name location: location tags: tags @@ -157,16 +155,16 @@ resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2021 } } -resource configurationStore_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${configurationStore.name}-${lock}-lock' +resource appConfiguration_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${appConfiguration.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } - scope: configurationStore + scope: appConfiguration } -resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { +resource appConfiguration_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { name: diagnosticSettingsName properties: { storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null @@ -176,51 +174,41 @@ resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticset metrics: diagnosticsMetrics logs: diagnosticsLogs } - scope: configurationStore + scope: appConfiguration } -module configurationStore_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module appConfiguration_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AppConfig-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' principalIds: roleAssignment.principalIds principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: configurationStore.id + resourceId: appConfiguration.id } }] -module configurationStore_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-appConfiguration-PrivateEndpoint-${index}' +module appConfiguration_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-AppConfig-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(configurationStore.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: configurationStore.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: appConfiguration.id + privateEndpointVnetLocation: empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + privateEndpointObj: privateEndpoint + tags: tags } }] @description('The name of the app configuration.') -output name string = configurationStore.name +output name string = appConfiguration.name @description('The resource ID of the app configuration.') -output resourceId string = configurationStore.id +output resourceId string = appConfiguration.id @description('The resource group the batch account was deployed into.') output resourceGroupName string = resourceGroup().name @description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(configurationStore.identity, 'principalId') ? configurationStore.identity.principalId : '' +output systemAssignedPrincipalId string = systemAssignedIdentity && contains(appConfiguration.identity, 'principalId') ? appConfiguration.identity.principalId : '' @description('The location the resource was deployed into.') -output location string = configurationStore.location +output location string = appConfiguration.location diff --git a/arm/Microsoft.AppConfiguration/configurationStores/readme.md b/arm/Microsoft.AppConfiguration/configurationStores/readme.md index 8be57afc20..7a8f5b4714 100644 --- a/arm/Microsoft.AppConfiguration/configurationStores/readme.md +++ b/arm/Microsoft.AppConfiguration/configurationStores/readme.md @@ -18,7 +18,7 @@ This module deploys an App Configuration Store. | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -44,7 +44,7 @@ This module deploys an App Configuration Store. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `enablePurgeProtection` | bool | `False` | | Property specifying whether protection against purge is enabled for this configuration store. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | Control permission for data plane traffic coming from public networks while private endpoint is enabled. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -187,6 +187,7 @@ roleAssignments: [

+======= ### Parameter Usage: `privateEndpoints` To use Private Endpoint the following dependencies must be deployed: @@ -264,6 +265,7 @@ privateEndpoints: [

+>>>>>>> 3c13c7e234f0efcae26a25417453c58843d2002d ## Outputs | Output Name | Type | Description | @@ -326,9 +328,6 @@ module configurationStores './Microsoft.AppConfiguration/configurationStores/dep "name": { "value": "<>-az-appcs-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "diagnosticLogsRetentionInDays": { "value": 7 }, @@ -396,7 +395,6 @@ module configurationStores './Microsoft.AppConfiguration/configurationStores/dep name: '${uniqueString(deployment().name)}-configurationStores' params: { name: '<>-az-appcs-x-001' - lock: 'CanNotDelete' diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep index 764383db90..b8312a2088 100644 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -61,7 +61,7 @@ param location string = deployment().location @sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -94,7 +94,7 @@ module policyAssignment_mg 'managementGroup/deploy.bicep' = if (empty(subscripti notScopes: !empty(notScopes) ? notScopes : [] managementGroupId: managementGroupId location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -116,7 +116,7 @@ module policyAssignment_sub 'subscription/deploy.bicep' = if (!empty(subscriptio notScopes: !empty(notScopes) ? notScopes : [] subscriptionId: subscriptionId location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -138,7 +138,7 @@ module policyAssignment_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGro notScopes: !empty(notScopes) ? notScopes : [] subscriptionId: subscriptionId location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index 455ad65454..320f650992 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -42,7 +42,7 @@ param location string = deployment().location @sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -70,7 +70,7 @@ module policyDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscripti parameters: !empty(parameters) ? parameters : {} policyRule: policyRule location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -87,7 +87,7 @@ module policyDefinition_sub 'subscription/deploy.bicep' = if (!empty(subscriptio parameters: !empty(parameters) ? parameters : {} policyRule: policyRule location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index a0f74a42a9..6abb4fbdb1 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -45,7 +45,7 @@ param location string = deployment().location @sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -74,7 +74,7 @@ module policyExemption_mg 'managementGroup/deploy.bicep' = if (empty(subscriptio expiresOn: !empty(expiresOn) ? expiresOn : '' managementGroupId: managementGroupId location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -92,7 +92,7 @@ module policyExemption_sub 'subscription/deploy.bicep' = if (!empty(subscription expiresOn: !empty(expiresOn) ? expiresOn : '' subscriptionId: subscriptionId location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -110,7 +110,7 @@ module policyExemption_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGrou expiresOn: !empty(expiresOn) ? expiresOn : '' subscriptionId: subscriptionId resourceGroupName: resourceGroupName - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep index f57db04f2b..cc3631ac5f 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep @@ -1,6 +1,6 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy Set Definition (Initiative).') +@sys.description('Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope and 64 characters for subscription scope.') @maxLength(64) param name string @@ -35,7 +35,7 @@ param location string = deployment().location @sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -63,7 +63,7 @@ module policySetDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscri policyDefinitionGroups: !empty(policyDefinitionGroups) ? policyDefinitionGroups : [] managementGroupId: managementGroupId location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -80,7 +80,7 @@ module policySetDefinition_sub 'subscription/deploy.bicep' = if (!empty(subscrip policyDefinitionGroups: !empty(policyDefinitionGroups) ? policyDefinitionGroups : [] subscriptionId: subscriptionId location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep index 54a92f6ec2..e477cb8161 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/deploy.bicep @@ -1,7 +1,7 @@ targetScope = 'managementGroup' -@sys.description('Required. Specifies the name of the policy Set Definition (Initiative).') -@maxLength(64) +@sys.description('Required. Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope.') +@maxLength(24) param name string @sys.description('Optional. The display name of the Set Definition (Initiative). Maximum length is 128 characters.') diff --git a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md index 83f6854956..30ffcb68a4 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/managementGroup/readme.md @@ -19,7 +19,7 @@ With this module you can create policy set definitions on a management group lev **Required parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy Set Definition (Initiative). | +| `name` | string | Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope. | | `policyDefinitions` | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | **Optional parameters** diff --git a/arm/Microsoft.Authorization/policySetDefinitions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/readme.md index eb194adcdb..c5bbda9874 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policySetDefinitions/readme.md @@ -22,7 +22,7 @@ With this module you can create policy set definitions across the management gro **Required parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | Specifies the name of the policy Set Definition (Initiative). | +| `name` | string | Specifies the name of the policy Set Definition (Initiative). Maximum length is 24 characters for management group scope and 64 characters for subscription scope. | | `policyDefinitions` | array | The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters. | **Optional parameters** diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index f2ac30b171..4695bc3573 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -47,7 +47,7 @@ param principalType string = '' @sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -75,7 +75,7 @@ module roleAssignment_mg 'managementGroup/deploy.bicep' = if (empty(subscription conditionVersion: conditionVersion condition: !empty(condition) ? condition : '' location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -92,7 +92,7 @@ module roleAssignment_sub 'subscription/deploy.bicep' = if (!empty(subscriptionI conditionVersion: conditionVersion condition: !empty(condition) ? condition : '' location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -109,7 +109,7 @@ module roleAssignment_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGroup delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' conditionVersion: conditionVersion condition: !empty(condition) ? condition : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep index 052c570948..810e9c5707 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep @@ -36,7 +36,7 @@ param assignableScopes array = [] @sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -62,7 +62,7 @@ module roleDefinition_mg 'managementGroup/deploy.bicep' = if (empty(subscription assignableScopes: !empty(assignableScopes) ? assignableScopes : [] managementGroupId: managementGroupId location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -79,7 +79,7 @@ module roleDefinition_sub 'subscription/deploy.bicep' = if (!empty(subscriptionI assignableScopes: !empty(assignableScopes) ? assignableScopes : [] subscriptionId: subscriptionId location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -96,7 +96,7 @@ module roleDefinition_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGroup assignableScopes: !empty(assignableScopes) ? assignableScopes : [] subscriptionId: subscriptionId resourceGroupName: resourceGroupName - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_linkedService.bicep b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_linkedService.bicep new file mode 100644 index 0000000000..651118484b --- /dev/null +++ b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_linkedService.bicep @@ -0,0 +1,37 @@ +@description('Required. Name of the link') +param name string + +@description('Required. Name of the Log Analytics workspace') +param logAnalyticsWorkspaceName string + +@description('Required. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require read access.') +param resourceId string = '' + +@description('Optional. The resource ID of the resource that will be linked to the workspace. This should be used for linking resources which require write access.') +param writeAccessResourceId string = '' + +@description('Optional. Tags to configure in the resource.') +param tags object = {} + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = { + name: logAnalyticsWorkspaceName +} + +resource linkedService 'Microsoft.OperationalInsights/workspaces/linkedServices@2020-03-01-preview' = { + name: name + parent: logAnalyticsWorkspace + tags: tags + properties: { + resourceId: !empty(resourceId) ? resourceId : null + writeAccessResourceId: !empty(writeAccessResourceId) ? writeAccessResourceId : null + } +} + +@description('The name of the deployed linked service') +output name string = linkedService.name + +@description('The resource ID of the deployed linked service') +output resourceId string = linkedService.id + +@description('The resource group where the linked service is deployed') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..26e201e43b --- /dev/null +++ b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,52 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? ((empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds)) : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = { + name: '${privateEndpoint_var.name}/default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } + dependsOn: [ + privateEndpoint + ] +} diff --git a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Automation/automationAccounts/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep index 0207272a1e..be42c48f3f 100644 --- a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep @@ -51,7 +51,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: automationAccount }] diff --git a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_solution.bicep b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_solution.bicep new file mode 100644 index 0000000000..b6cbf586ea --- /dev/null +++ b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_solution.bicep @@ -0,0 +1,43 @@ +@description('Required. Name of the solution') +param name string + +@description('Required. Name of the Log Analytics workspace') +param logAnalyticsWorkspaceName string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. The product of the deployed solution. For gallery solution, it is OMSGallery.') +param product string = 'OMSGallery' + +@description('Optional. The publisher name of the deployed solution. For gallery solution, it is Microsoft.') +param publisher string = 'Microsoft' + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { + name: logAnalyticsWorkspaceName +} + +var solutionName = '${name}(${logAnalyticsWorkspace.name})' + +resource solution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = { + name: solutionName + location: location + properties: { + workspaceResourceId: logAnalyticsWorkspace.id + } + plan: { + name: solutionName + promotionCode: '' + product: '${product}/${name}' + publisher: publisher + } +} + +@description('The name of the deployed solution') +output name string = solution.name + +@description('The resource ID of the deployed solution') +output resourceId string = solution.id + +@description('The resource group where the solution is deployed') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Automation/automationAccounts/.parameters/encr.parameters.json b/arm/Microsoft.Automation/automationAccounts/.parameters/encr.parameters.json index de787fa3bb..c396172aaa 100644 --- a/arm/Microsoft.Automation/automationAccounts/.parameters/encr.parameters.json +++ b/arm/Microsoft.Automation/automationAccounts/.parameters/encr.parameters.json @@ -3,23 +3,24 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-aut-encr-001" + "value": "<>-wd-aut-encr-001" }, - "encryptionKeySource": { - "value": "Microsoft.Keyvault" + "encryptionKeySource" : { + "value" : "Microsoft.Keyvault" }, "encryptionUserAssignedIdentity": { "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" // this identity needs to be one of the identities defined in userAssignedIdentities section }, - "keyName": { - "value": "keyEncryptionKey" + "keyName" : { + "value" : "keyEncryptionKey" }, - "keyvaultUri": { - "value": "https://adp-<>-az-kv-nopr-002.vault.azure.net/" + "keyvaultUri" : { + "value" : "https://adp-carml-az-kv-nopr-002.vault.azure.net/" }, - "keyVersion": { - "value": "9917c14be51d4d93b37218de7d326f60" + "keyVersion" : { + "value" : "9917c14be51d4d93b37218de7d326f60" }, + "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} diff --git a/arm/Microsoft.Automation/automationAccounts/.parameters/min.parameters.json b/arm/Microsoft.Automation/automationAccounts/.parameters/min.parameters.json index c76e891806..36d11228da 100644 --- a/arm/Microsoft.Automation/automationAccounts/.parameters/min.parameters.json +++ b/arm/Microsoft.Automation/automationAccounts/.parameters/min.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-aut-min-001" + "value": "<>-wd-aut-min-001" } } } diff --git a/arm/Microsoft.Automation/automationAccounts/.parameters/parameters.json b/arm/Microsoft.Automation/automationAccounts/.parameters/parameters.json index ae5e51517b..5973a95523 100644 --- a/arm/Microsoft.Automation/automationAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Automation/automationAccounts/.parameters/parameters.json @@ -3,17 +3,14 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-aut-x-001" - }, - "lock": { - "value": "CanNotDelete" + "value": "<>-wd-aut-x-001" }, "schedules": { "value": [ { "name": "TestSchedule", "startTime": "", - "expiryTime": "9999-12-31T13:00", + "expiryTime": "9999-12-31T23:59:00+00:00", "interval": 15, "frequency": "Minute", "timeZone": "Europe/Berlin", @@ -84,11 +81,7 @@ }, "gallerySolutions": { "value": [ - { - "name": "Updates", - "product": "OMSGallery", - "publisher": "Microsoft" - } + "Updates" ] }, "softwareUpdateConfigurations": { diff --git a/arm/Microsoft.Automation/automationAccounts/deploy.bicep b/arm/Microsoft.Automation/automationAccounts/deploy.bicep index 387eba3a0c..b663569a00 100644 --- a/arm/Microsoft.Automation/automationAccounts/deploy.bicep +++ b/arm/Microsoft.Automation/automationAccounts/deploy.bicep @@ -81,12 +81,12 @@ param systemAssignedIdentity bool = false param userAssignedIdentities object = {} @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -120,7 +120,7 @@ param diagnosticMetricsToEnable array = [ @description('Optional. The name of the diagnostic setting, if deployed.') param diagnosticSettingsName string = '${name}-diagnosticSettings' -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { category: category @@ -192,7 +192,7 @@ module automationAccount_modules 'modules/deploy.bicep' = [for (module, index) i uri: module.uri location: location tags: tags - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -208,7 +208,7 @@ module automationAccount_schedules 'schedules/deploy.bicep' = [for (schedule, in interval: contains(schedule, 'interval') ? schedule.interval : 0 startTime: contains(schedule, 'startTime') ? schedule.startTime : '' timeZone: contains(schedule, 'timeZone') ? schedule.timeZone : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -223,7 +223,7 @@ module automationAccount_runbooks 'runbooks/deploy.bicep' = [for (runbook, index version: contains(runbook, 'version') ? runbook.version : '' location: location tags: tags - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -235,7 +235,7 @@ module automationAccount_jobSchedules 'jobSchedules/deploy.bicep' = [for (jobSch scheduleName: jobSchedule.scheduleName parameters: contains(jobSchedule, 'parameters') ? jobSchedule.parameters : {} runOn: contains(jobSchedule, 'runOn') ? jobSchedule.runOn : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ automationAccount_schedules @@ -251,16 +251,15 @@ module automationAccount_variables 'variables/deploy.bicep' = [for (variable, in description: contains(variable, 'description') ? variable.description : '' value: variable.value isEncrypted: contains(variable, 'isEncrypted') ? variable.isEncrypted : true - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -module automationAccount_linkedService '../../Microsoft.OperationalInsights/workspaces/linkedServices/deploy.bicep' = if (!empty(linkedWorkspaceResourceId)) { +module automationAccount_linkedService '.bicep/nested_linkedService.bicep' = if (!empty(linkedWorkspaceResourceId)) { name: '${uniqueString(deployment().name, location)}-AutoAccount-LinkedService' params: { name: 'automation' logAnalyticsWorkspaceName: last(split(linkedWorkspaceResourceId, '/')) - enableDefaultTelemetry: enableReferencedModulesTelemetry resourceId: automationAccount.id tags: tags } @@ -269,15 +268,12 @@ module automationAccount_linkedService '../../Microsoft.OperationalInsights/work scope: resourceGroup(!empty(linkedWorkspaceResourceId) ? split(linkedWorkspaceResourceId, '/')[2] : subscription().subscriptionId, !empty(linkedWorkspaceResourceId) ? split(linkedWorkspaceResourceId, '/')[4] : resourceGroup().name) } -module automationAccount_solutions '../../Microsoft.OperationsManagement/solutions/deploy.bicep' = [for (gallerySolution, index) in gallerySolutions: if (!empty(linkedWorkspaceResourceId)) { +module automationAccount_solutions '.bicep/nested_solution.bicep' = [for (gallerySolution, index) in gallerySolutions: if (!empty(linkedWorkspaceResourceId)) { name: '${uniqueString(deployment().name, location)}-AutoAccount-Solution-${index}' params: { - name: gallerySolution.name + name: gallerySolution location: location logAnalyticsWorkspaceName: last(split(linkedWorkspaceResourceId, '/')) - product: contains(gallerySolution, 'product') ? gallerySolution.product : 'OMSGallery' - publisher: contains(gallerySolution, 'publisher') ? gallerySolution.publisher : 'Microsoft' - enableDefaultTelemetry: enableReferencedModulesTelemetry } // This is to support solution to law in different subscription and resource group than the automation account. // The current scope is used by default if no linked service is intended to be created. @@ -327,17 +323,17 @@ module automationAccount_softwareUpdateConfigurations 'softwareUpdateConfigurati 'Security' ] weekDays: contains(softwareUpdateConfiguration, 'weekDays') ? softwareUpdateConfiguration.weekDays : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ automationAccount_solutions ] }] -resource automationAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${automationAccount.name}-${lock}-lock' +resource automationAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${automationAccount.name}-AutoAccount-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: automationAccount @@ -356,27 +352,17 @@ resource automationAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSett scope: automationAccount } -module automationAccount_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-AutomationAccount-PrivateEndpoint-${index}' +module automationAccount_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { + name: '${uniqueString(deployment().name, location)}-AutoAccount-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(automationAccount.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: automationAccount.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: automationAccount.id + privateEndpointVnetLocation: !empty(privateEndpoints) ? reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location : 'dummy' + privateEndpointObj: endpoint + tags: tags } }] -module automationAccount_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module automationAccount_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AutoAccount-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Automation/automationAccounts/readme.md b/arm/Microsoft.Automation/automationAccounts/readme.md index b95992ee0c..9fe087ec9c 100644 --- a/arm/Microsoft.Automation/automationAccounts/readme.md +++ b/arm/Microsoft.Automation/automationAccounts/readme.md @@ -25,7 +25,7 @@ This module deploys an Azure Automation Account. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.OperationalInsights/workspaces/linkedServices` | [2020-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/linkedServices) | +| `Microsoft.OperationalInsights/workspaces/linkedServices` | [2020-03-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-03-01-preview/workspaces/linkedServices) | | `Microsoft.OperationsManagement/solutions` | [2015-11-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) | ## Parameters @@ -56,7 +56,7 @@ This module deploys an Azure Automation Account. | `keyVersion` | string | `''` | | The key version of the key used to encrypt data. This parameter is needed only if you enable Microsoft.Keyvault as encryptionKeySource. | | `linkedWorkspaceResourceId` | string | `''` | | ID of the log analytics workspace to be linked to the deployed automation account. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `modules` | _[modules](modules/readme.md)_ array | `[]` | | List of modules to be created in the automation account. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -71,7 +71,7 @@ This module deploys an Azure Automation Account. ### Parameter Usage: `encryption` -Prerequisites: +Prerequsites: - User Assigned Identity for Encryption needs `Get`, `List`, `Wrap` and `Unwrap` permissions on the key. - User Assigned Identity have to be one of the defined identities in userAssignedIdentities parameter block. - To use Azure Automation with customer managed keys, both `Soft Delete` and `Do Not Purge` features must be turned on to allow for recovery of keys in case of accidental deletion. @@ -357,23 +357,24 @@ userAssignedIdentities: { "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-aut-encr-001" + "value": "<>-wd-aut-encr-001" }, - "encryptionKeySource": { - "value": "Microsoft.Keyvault" + "encryptionKeySource" : { + "value" : "Microsoft.Keyvault" }, "encryptionUserAssignedIdentity": { "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" // this identity needs to be one of the identities defined in userAssignedIdentities section }, - "keyName": { - "value": "keyEncryptionKey" + "keyName" : { + "value" : "keyEncryptionKey" }, - "keyvaultUri": { - "value": "https://adp-<>-az-kv-nopr-002.vault.azure.net/" + "keyvaultUri" : { + "value" : "https://adp-carml-az-kv-nopr-002.vault.azure.net/" }, - "keyVersion": { - "value": "9917c14be51d4d93b37218de7d326f60" + "keyVersion" : { + "value" : "9917c14be51d4d93b37218de7d326f60" }, + "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} @@ -394,11 +395,11 @@ userAssignedIdentities: { module automationAccounts './Microsoft.Automation/automationAccounts/deploy.bicep' = { name: '${uniqueString(deployment().name)}-automationAccounts' params: { - name: '<>-az-aut-encr-001' + name: '<>-wd-aut-encr-001' encryptionKeySource: 'Microsoft.Keyvault' encryptionUserAssignedIdentity: '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001' keyName: 'keyEncryptionKey' - keyvaultUri: 'https://adp-<>-az-kv-nopr-002.vault.azure.net/' + keyvaultUri: 'https://adp-carml-az-kv-nopr-002.vault.azure.net/' keyVersion: '9917c14be51d4d93b37218de7d326f60' userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} @@ -421,7 +422,7 @@ module automationAccounts './Microsoft.Automation/automationAccounts/deploy.bice "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-aut-min-001" + "value": "<>-wd-aut-min-001" } } } @@ -438,7 +439,7 @@ module automationAccounts './Microsoft.Automation/automationAccounts/deploy.bice module automationAccounts './Microsoft.Automation/automationAccounts/deploy.bicep' = { name: '${uniqueString(deployment().name)}-automationAccounts' params: { - name: '<>-az-aut-min-001' + name: '<>-wd-aut-min-001' } ``` @@ -457,17 +458,14 @@ module automationAccounts './Microsoft.Automation/automationAccounts/deploy.bice "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-aut-x-001" - }, - "lock": { - "value": "CanNotDelete" + "value": "<>-wd-aut-x-001" }, "schedules": { "value": [ { "name": "TestSchedule", "startTime": "", - "expiryTime": "9999-12-31T13:00", + "expiryTime": "9999-12-31T23:59:00+00:00", "interval": 15, "frequency": "Minute", "timeZone": "Europe/Berlin", @@ -538,11 +536,7 @@ module automationAccounts './Microsoft.Automation/automationAccounts/deploy.bice }, "gallerySolutions": { "value": [ - { - "name": "Updates", - "product": "OMSGallery", - "publisher": "Microsoft" - } + "Updates" ] }, "softwareUpdateConfigurations": { @@ -664,13 +658,12 @@ module automationAccounts './Microsoft.Automation/automationAccounts/deploy.bice module automationAccounts './Microsoft.Automation/automationAccounts/deploy.bicep' = { name: '${uniqueString(deployment().name)}-automationAccounts' params: { - name: '<>-az-aut-x-001' - lock: 'CanNotDelete' + name: '<>-wd-aut-x-001' schedules: [ { name: 'TestSchedule' startTime: '' - expiryTime: '9999-12-31T13:00' + expiryTime: '9999-12-31T23:59:59.9999999+01:00' interval: 15 frequency: 'Minute' timeZone: 'Europe/Berlin' @@ -729,11 +722,7 @@ module automationAccounts './Microsoft.Automation/automationAccounts/deploy.bice ] linkedWorkspaceResourceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-aut-001' gallerySolutions: [ - { - name: 'Updates' - product: 'OMSGallery' - publisher: 'Microsoft' - } + 'Updates' ] softwareUpdateConfigurations: [ { diff --git a/arm/Microsoft.Batch/batchAccounts/.parameters/parameters.json b/arm/Microsoft.Batch/batchAccounts/.parameters/parameters.json index d87ce3fd34..b2085df34e 100644 --- a/arm/Microsoft.Batch/batchAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Batch/batchAccounts/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>azbaweux001" }, - "lock": { - "value": "CanNotDelete" - }, "diagnosticLogsRetentionInDays": { "value": 7 }, diff --git a/arm/Microsoft.Batch/batchAccounts/deploy.bicep b/arm/Microsoft.Batch/batchAccounts/deploy.bicep index 635939747b..30c15296d2 100644 --- a/arm/Microsoft.Batch/batchAccounts/deploy.bicep +++ b/arm/Microsoft.Batch/batchAccounts/deploy.bicep @@ -55,12 +55,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -182,11 +182,11 @@ resource batchAccount 'Microsoft.Batch/batchAccounts@2022-01-01' = { } } -resource batchAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource batchAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${batchAccount.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: batchAccount } diff --git a/arm/Microsoft.Batch/batchAccounts/readme.md b/arm/Microsoft.Batch/batchAccounts/readme.md index 80418ad1ce..426e0cfc8d 100644 --- a/arm/Microsoft.Batch/batchAccounts/readme.md +++ b/arm/Microsoft.Batch/batchAccounts/readme.md @@ -45,7 +45,7 @@ | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `encryptionKeySource` | string | `'Microsoft.Batch'` | `[Microsoft.Batch, Microsoft.KeyVault]` | Type of the key source. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `poolAllocationMode` | string | `'BatchService'` | `[BatchService, UserSubscription]` | The allocation mode for creating pools in the Batch account. Determines which quota will be used. | | `publicNetworkAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | The network access type for operating on the resources in the Batch account. | | `storageAccessIdentity` | string | `''` | | The reference to a user assigned identity associated with the Batch pool which a compute node will use. | @@ -194,9 +194,6 @@ module batchAccounts './Microsoft.Batch/batchAccounts/deploy.bicep' = { "name": { "value": "<>azbaweux001" }, - "lock": { - "value": "CanNotDelete" - }, "diagnosticLogsRetentionInDays": { "value": 7 }, @@ -243,7 +240,6 @@ module batchAccounts './Microsoft.Batch/batchAccounts/deploy.bicep' = { name: '${uniqueString(deployment().name)}-batchAccounts' params: { name: '<>azbaweux001' - lock: 'CanNotDelete' diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diff --git a/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep b/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep new file mode 100644 index 0000000000..4e7cd75dcb --- /dev/null +++ b/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep @@ -0,0 +1,49 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpoint object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpoint, 'name') ? (empty(privateEndpoint.name) ? '${privateEndpointResourceName}-${privateEndpoint.service}' : privateEndpoint.name) : '${privateEndpointResourceName}-${privateEndpoint.service}') + subnetResourceId: privateEndpoint.subnetResourceId + service: [ + privateEndpoint.service + ] + privateDnsZoneResourceIds: (contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : []) + customDnsConfigs: (contains(privateEndpoint, 'customDnsConfigs') ? (empty(privateEndpoint.customDnsConfigs) ? null : privateEndpoint.customDnsConfigs) : null) +} + +resource privateEndpoint_resource 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint_resource.name}/default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } +} diff --git a/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.CognitiveServices/accounts/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.CognitiveServices/accounts/.bicep/nested_rbac.bicep index f7c047dd19..1df70e598a 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_rbac.bicep @@ -64,7 +64,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: account }] diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json index 9b8a8a07da..a7eb9a7d6f 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-cgs-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "kind": { "value": "Face" }, diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json deleted file mode 100644 index 489b409bac..0000000000 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-cgs-speech-001" - }, - "kind": { - "value": "SpeechServices" - }, - "sku": { - "value": "F0" - }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} - } - }, - "customSubDomainName": { - "value": "<>domain" - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "account" - } - ] - } - } -} diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index 17c346d42f..4c7c81208e 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -73,7 +73,7 @@ param diagnosticEventHubName string = '' @description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set.') param customSubDomainName string = '' -@description('Optional. Whether or not public endpoint access is allowed for this account.') +@description('Optional. Subdomain name used for token-based authentication. Must be set if \'networkAcls\' are set.') @allowed([ 'Enabled' 'Disabled' @@ -90,12 +90,12 @@ param systemAssignedIdentity bool = false param userAssignedIdentities object = {} @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] @@ -173,8 +173,6 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { } }] -var enableReferencedModulesTelemetry = false - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -224,11 +222,11 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { } } -resource cognitiveServices_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource cognitiveServices_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${cognitiveServices.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: cognitiveServices } @@ -246,27 +244,17 @@ resource cognitiveServices_diagnosticSettingName 'Microsoft.Insights/diagnostics scope: cognitiveServices } -module cognitiveServices_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module cognitiveServices_privateEndpoints '.bicep/nested_privateEndpoints.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-CognitiveServices-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(cognitiveServices.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: cognitiveServices.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: cognitiveServices.id + privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpoint: privateEndpoint + tags: tags } }] -module cognitiveServices_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module cognitiveServices_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-CognitiveServices-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 800db10ae6..9a481c9c51 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -19,7 +19,7 @@ This module deploys different kinds of cognitive services resources | `Microsoft.CognitiveServices/accounts` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2021-10-01/accounts) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -51,11 +51,11 @@ This module deploys different kinds of cognitive services resources | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `encryption` | object | `{object}` | | Properties to configure encryption. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `migrationToken` | string | `''` | | Resource migration token. | | `networkAcls` | object | `{object}` | | Service endpoint object information. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | -| `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | Whether or not public endpoint access is allowed for this account. | +| `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | Subdomain name used for token-based authentication. Must be set if 'networkAcls' are set. | | `restore` | bool | `False` | | Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. | | `restrictOutboundNetworkAccess` | bool | `True` | | Restrict outbound network access. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -366,9 +366,6 @@ userAssignedIdentities: { "name": { "value": "<>-az-cgs-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "kind": { "value": "Face" }, @@ -424,7 +421,6 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { name: '${uniqueString(deployment().name)}-accounts' params: { name: '<>-az-cgs-x-001' - lock: 'CanNotDelete' kind: 'Face' sku: 'F0' roleAssignments: [ @@ -449,77 +445,3 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = {

- -

Example 2

- -
- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-cgs-speech-001" - }, - "kind": { - "value": "SpeechServices" - }, - "sku": { - "value": "F0" - }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} - } - }, - "customSubDomainName": { - "value": "<>domain" - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "account" - } - ] - } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-accounts' - params: { - name: '<>-az-cgs-speech-001' - kind: 'SpeechServices' - sku: 'F0' - systemAssignedIdentity: true - userAssignedIdentities: { - '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} - } - customSubDomainName: '<>domain' - privateEndpoints: [ - { - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' - service: 'account' - } - ] - } -``` - -
-

diff --git a/arm/Microsoft.Compute/availabilitySets/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Compute/availabilitySets/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Compute/availabilitySets/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Compute/availabilitySets/.bicep/nested_rbac.bicep index 943e72d9a7..313833717c 100644 --- a/arm/Microsoft.Compute/availabilitySets/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Compute/availabilitySets/.bicep/nested_rbac.bicep @@ -55,7 +55,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: availabilitySet }] diff --git a/arm/Microsoft.Compute/availabilitySets/.parameters/parameters.json b/arm/Microsoft.Compute/availabilitySets/.parameters/parameters.json index f7d8be50c6..cfa2eab50f 100644 --- a/arm/Microsoft.Compute/availabilitySets/.parameters/parameters.json +++ b/arm/Microsoft.Compute/availabilitySets/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-avs-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Compute/availabilitySets/deploy.bicep b/arm/Microsoft.Compute/availabilitySets/deploy.bicep index 487a64c862..416f8573fe 100644 --- a/arm/Microsoft.Compute/availabilitySets/deploy.bicep +++ b/arm/Microsoft.Compute/availabilitySets/deploy.bicep @@ -20,12 +20,12 @@ param proximityPlacementGroupId string = '' param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -64,16 +64,16 @@ resource availabilitySet 'Microsoft.Compute/availabilitySets@2021-07-01' = { } } -resource availabilitySet_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource availabilitySet_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${availabilitySet.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: availabilitySet } -module availabilitySet_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module availabilitySet_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AvSet-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Compute/availabilitySets/readme.md b/arm/Microsoft.Compute/availabilitySets/readme.md index 871371a75e..508453929b 100644 --- a/arm/Microsoft.Compute/availabilitySets/readme.md +++ b/arm/Microsoft.Compute/availabilitySets/readme.md @@ -32,7 +32,7 @@ This template deploys an availability set | `availabilitySetUpdateDomain` | int | `5` | | The number of update domains to use. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Resource location. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `proximityPlacementGroupId` | string | `''` | | Resource ID of a proximity placement group. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the availability set resource. | @@ -199,9 +199,6 @@ module availabilitySets './Microsoft.Compute/availabilitySets/deploy.bicep' = { "name": { "value": "<>-az-avs-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -231,7 +228,6 @@ module availabilitySets './Microsoft.Compute/availabilitySets/deploy.bicep' = { name: '${uniqueString(deployment().name)}-availabilitySets' params: { name: '<>-az-avs-x-001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_rbac.bicep index 0a30936aa6..868895bd11 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_rbac.bicep @@ -53,7 +53,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: diskEncryptionSet }] diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 5751f949a7..450cc072f2 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -84,7 +84,7 @@ module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' = { scope: resourceGroup(split(keyVaultId, '/')[2], split(keyVaultId, '/')[4]) } -module diskEncryptionSet_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module diskEncryptionSet_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Compute/disks/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Compute/disks/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Compute/disks/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Compute/disks/.bicep/nested_rbac.bicep index 0e70664573..9b36f17d2f 100644 --- a/arm/Microsoft.Compute/disks/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Compute/disks/.bicep/nested_rbac.bicep @@ -54,7 +54,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: disk }] diff --git a/arm/Microsoft.Compute/disks/.parameters/parameters.json b/arm/Microsoft.Compute/disks/.parameters/parameters.json index 833336ee1e..3608893d90 100644 --- a/arm/Microsoft.Compute/disks/.parameters/parameters.json +++ b/arm/Microsoft.Compute/disks/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-disk-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "sku": { "value": "UltraSSD_LRS" }, diff --git a/arm/Microsoft.Compute/disks/deploy.bicep b/arm/Microsoft.Compute/disks/deploy.bicep index e0b4ce52ad..98a1afaaf1 100644 --- a/arm/Microsoft.Compute/disks/deploy.bicep +++ b/arm/Microsoft.Compute/disks/deploy.bicep @@ -103,12 +103,12 @@ param publicNetworkAccess string = 'Disabled' param acceleratedNetwork bool = false @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -167,16 +167,16 @@ resource disk 'Microsoft.Compute/disks@2021-08-01' = { } } -resource disk_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource disk_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${disk.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: disk } -module disk_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module disk_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AvSet-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Compute/disks/readme.md b/arm/Microsoft.Compute/disks/readme.md index 6c9770f0b0..a51cd6b34e 100644 --- a/arm/Microsoft.Compute/disks/readme.md +++ b/arm/Microsoft.Compute/disks/readme.md @@ -39,7 +39,7 @@ This template deploys a disk | `hyperVGeneration` | string | `'V2'` | `[V1, V2]` | The hypervisor generation of the Virtual Machine. Applicable to OS disks only. | | `imageReferenceId` | string | `''` | | A relative uri containing either a Platform Image Repository or user image reference. | | `location` | string | `[resourceGroup().location]` | | Resource location. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `logicalSectorSize` | int | `4096` | | Logical sector size in bytes for Ultra disks. Supported values are 512 ad 4096. | | `maxShares` | int | `1` | | The maximum number of VMs that can attach to the disk at the same time. Default value is 0. | | `networkAccessPolicy` | string | `'DenyAll'` | `[AllowAll, AllowPrivate, DenyAll]` | Policy for accessing the disk via network. | @@ -377,9 +377,6 @@ module disks './Microsoft.Compute/disks/deploy.bicep' = { "name": { "value": "<>-az-disk-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "sku": { "value": "UltraSSD_LRS" }, @@ -427,7 +424,6 @@ module disks './Microsoft.Compute/disks/deploy.bicep' = { name: '${uniqueString(deployment().name)}-disks' params: { name: '<>-az-disk-x-001' - lock: 'CanNotDelete' sku: 'UltraSSD_LRS' diskSizeGB: 128 logicalSectorSize: 512 diff --git a/arm/Microsoft.Compute/galleries/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep similarity index 96% rename from arm/Microsoft.Compute/galleries/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep index 0186f68665..b5e460cbdc 100644 --- a/arm/Microsoft.Compute/galleries/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep @@ -39,7 +39,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource gallery 'Microsoft.Compute/galleries@2021-10-01' existing = { +resource gallery 'Microsoft.Compute/galleries@2020-09-30' existing = { name: last(split(resourceId, '/')) } @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: gallery }] diff --git a/arm/Microsoft.Compute/galleries/.parameters/parameters.json b/arm/Microsoft.Compute/galleries/.parameters/parameters.json index 960e0365b2..ccacaf0742 100644 --- a/arm/Microsoft.Compute/galleries/.parameters/parameters.json +++ b/arm/Microsoft.Compute/galleries/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>azsigweux001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Compute/galleries/deploy.bicep b/arm/Microsoft.Compute/galleries/deploy.bicep index 79c44f1104..4a421a8f2b 100644 --- a/arm/Microsoft.Compute/galleries/deploy.bicep +++ b/arm/Microsoft.Compute/galleries/deploy.bicep @@ -12,12 +12,12 @@ param galleryDescription string = '' param images array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -28,7 +28,7 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -42,7 +42,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource gallery 'Microsoft.Compute/galleries@2021-10-01' = { +resource gallery 'Microsoft.Compute/galleries@2020-09-30' = { name: name location: location tags: tags @@ -52,16 +52,16 @@ resource gallery 'Microsoft.Compute/galleries@2021-10-01' = { } } -resource gallery_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource gallery_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${gallery.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: gallery } -module gallery_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module gallery_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Gallery-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -99,7 +99,7 @@ module galleries_images 'images/deploy.bicep' = [for (image, index) in images: { excludedDiskTypes: contains(image, 'excludedDiskTypes') ? image.excludedDiskTypes : [] roleAssignments: contains(image, 'roleAssignments') ? image.roleAssignments : [] tags: contains(image, 'tags') ? image.tags : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.Compute/galleries/images/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Compute/galleries/images/.bicep/nested_rbac.bicep similarity index 95% rename from arm/Microsoft.Compute/galleries/images/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Compute/galleries/images/.bicep/nested_rbac.bicep index caa9501f85..21099871d8 100644 --- a/arm/Microsoft.Compute/galleries/images/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Compute/galleries/images/.bicep/nested_rbac.bicep @@ -41,7 +41,7 @@ var builtInRoleNames = { 'myCustomRoleAtSub': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '60cb79d9-783a-50a4-9f05-d4c579fb8ce3') } -resource galleryImage 'Microsoft.Compute/galleries/images@2021-10-01' existing = { +resource galleryImage 'Microsoft.Compute/galleries/images@2020-09-30' existing = { name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' } @@ -51,7 +51,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: galleryImage }] diff --git a/arm/Microsoft.Compute/galleries/images/deploy.bicep b/arm/Microsoft.Compute/galleries/images/deploy.bicep index e7d9eeaade..beab97c68f 100644 --- a/arm/Microsoft.Compute/galleries/images/deploy.bicep +++ b/arm/Microsoft.Compute/galleries/images/deploy.bicep @@ -106,11 +106,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource gallery 'Microsoft.Compute/galleries@2021-10-01' existing = { +resource gallery 'Microsoft.Compute/galleries@2020-09-30' existing = { name: galleryName } -resource image 'Microsoft.Compute/galleries/images@2021-10-01' = { +resource image 'Microsoft.Compute/galleries/images@2020-09-30' = { name: name parent: gallery location: location @@ -150,7 +150,7 @@ resource image 'Microsoft.Compute/galleries/images@2021-10-01' = { } } -module galleryImage_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module galleryImage_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Compute/galleries/images/readme.md b/arm/Microsoft.Compute/galleries/images/readme.md index 578ab26887..f0066920d8 100644 --- a/arm/Microsoft.Compute/galleries/images/readme.md +++ b/arm/Microsoft.Compute/galleries/images/readme.md @@ -13,7 +13,7 @@ This module deploys an Image Definition in a Shared Image Gallery. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | -| `Microsoft.Compute/galleries/images` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-10-01/galleries/images) | +| `Microsoft.Compute/galleries/images` | [2020-09-30](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-09-30/galleries/images) | ## Parameters diff --git a/arm/Microsoft.Compute/galleries/readme.md b/arm/Microsoft.Compute/galleries/readme.md index 5865fa0c01..991968ac5e 100644 --- a/arm/Microsoft.Compute/galleries/readme.md +++ b/arm/Microsoft.Compute/galleries/readme.md @@ -15,8 +15,8 @@ This module deploys an Azure compute gallery (formerly known as shared image gal | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | -| `Microsoft.Compute/galleries` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-10-01/galleries) | -| `Microsoft.Compute/galleries/images` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-10-01/galleries/images) | +| `Microsoft.Compute/galleries` | [2020-09-30](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-09-30/galleries) | +| `Microsoft.Compute/galleries/images` | [2020-09-30](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-09-30/galleries/images) | ## Parameters @@ -32,7 +32,7 @@ This module deploys an Azure compute gallery (formerly known as shared image gal | `galleryDescription` | string | `''` | | Description of the Azure Shared Image Gallery. | | `images` | _[images](images/readme.md)_ array | `[]` | | Images to create. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags for all resources. | @@ -278,9 +278,6 @@ module galleries './Microsoft.Compute/galleries/deploy.bicep' = { "name": { "value": "<>azsigweux001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -307,7 +304,6 @@ module galleries './Microsoft.Compute/galleries/deploy.bicep' = { name: '${uniqueString(deployment().name)}-galleries' params: { name: '<>azsigweux001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.Compute/images/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Compute/images/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Compute/images/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Compute/images/.bicep/nested_rbac.bicep index 95f8211862..f222a9d4d0 100644 --- a/arm/Microsoft.Compute/images/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Compute/images/.bicep/nested_rbac.bicep @@ -51,7 +51,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: image }] diff --git a/arm/Microsoft.Compute/images/deploy.bicep b/arm/Microsoft.Compute/images/deploy.bicep index dc01ff1312..bfb2bfaee5 100644 --- a/arm/Microsoft.Compute/images/deploy.bicep +++ b/arm/Microsoft.Compute/images/deploy.bicep @@ -62,7 +62,7 @@ resource image 'Microsoft.Compute/images@2021-04-01' = { } } -module image_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module image_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Image-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_rbac.bicep index 883e781c21..f99366d75b 100644 --- a/arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Compute/proximityPlacementGroups/.bicep/nested_rbac.bicep @@ -53,7 +53,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: proximityPlacementGroup }] diff --git a/arm/Microsoft.Compute/proximityPlacementGroups/.parameters/parameters.json b/arm/Microsoft.Compute/proximityPlacementGroups/.parameters/parameters.json index 48ab4ed9c9..71bff3e25d 100644 --- a/arm/Microsoft.Compute/proximityPlacementGroups/.parameters/parameters.json +++ b/arm/Microsoft.Compute/proximityPlacementGroups/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-ppg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Compute/proximityPlacementGroups/deploy.bicep b/arm/Microsoft.Compute/proximityPlacementGroups/deploy.bicep index f9fb427305..90f06cff8f 100644 --- a/arm/Microsoft.Compute/proximityPlacementGroups/deploy.bicep +++ b/arm/Microsoft.Compute/proximityPlacementGroups/deploy.bicep @@ -12,12 +12,12 @@ param proximityPlacementGroupType string = 'Standard' param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -49,16 +49,16 @@ resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@202 } } -resource proximityPlacementGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource proximityPlacementGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${proximityPlacementGroup.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: proximityPlacementGroup } -module proximityPlacementGroup_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module proximityPlacementGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-ProxPlaceGroup-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Compute/proximityPlacementGroups/readme.md b/arm/Microsoft.Compute/proximityPlacementGroups/readme.md index 7e223230a5..d6626d621c 100644 --- a/arm/Microsoft.Compute/proximityPlacementGroups/readme.md +++ b/arm/Microsoft.Compute/proximityPlacementGroups/readme.md @@ -29,7 +29,7 @@ This template deploys a proximity placement group. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Resource location. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `proximityPlacementGroupType` | string | `'Standard'` | `[Standard, Ultra]` | Specifies the type of the proximity placement group. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the proximity placement group resource. | @@ -160,9 +160,6 @@ tags: { "name": { "value": "<>-az-ppg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -189,7 +186,6 @@ module proximityPlacementGroups './Microsoft.Compute/proximityPlacementGroups/de name: '${uniqueString(deployment().name)}-proximityPlacementGroups' params: { name: '<>-az-ppg-x-001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep index a82b2c3b0d..4e3722661f 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep @@ -54,7 +54,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: vmss }] diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/.parameters/linux.parameters.json b/arm/Microsoft.Compute/virtualMachineScaleSets/.parameters/linux.parameters.json index b17e54d583..b4d6340af2 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/.parameters/linux.parameters.json +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/.parameters/linux.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-scaleset-linux-001" }, - "lock": { - "value": "CanNotDelete" - }, "vmNamePrefix": { "value": "vmsslinvm" }, diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/.parameters/windows.parameters.json b/arm/Microsoft.Compute/virtualMachineScaleSets/.parameters/windows.parameters.json index 6eed374c0f..1fec6b76b8 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/.parameters/windows.parameters.json +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/.parameters/windows.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-scaleset-win-001" }, - "lock": { - "value": "CanNotDelete" - }, "vmNamePrefix": { "value": "vmsswinvm" }, diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep b/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep index f672d34db8..3546ea8c18 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep @@ -158,12 +158,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Specifies the mode of an upgrade to virtual machines in the scale set.\' Manual - You control the application of updates to virtual machines in the scale set. You do this by using the manualUpgrade action. ; Automatic - All virtual machines in the scale set are automatically updated at the same time. - Automatic, Manual, Rolling.') @allowed([ @@ -341,7 +341,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -497,7 +497,7 @@ module vmss_domainJoinExtension 'extensions/deploy.bicep' = if (extensionDomainJ protectedSettings: { Password: extensionDomainJoinPassword } - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -512,7 +512,7 @@ module vmss_microsoftAntiMalwareExtension 'extensions/deploy.bicep' = if (extens autoUpgradeMinorVersion: contains(extensionAntiMalwareConfig, 'autoUpgradeMinorVersion') ? extensionAntiMalwareConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionAntiMalwareConfig, 'enableAutomaticUpgrade') ? extensionAntiMalwareConfig.enableAutomaticUpgrade : false settings: extensionAntiMalwareConfig.settings - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -537,7 +537,7 @@ module vmss_microsoftMonitoringAgentExtension 'extensions/deploy.bicep' = if (ex protectedSettings: { workspaceKey: !empty(monitoringWorkspaceId) ? vmss_logAnalyticsWorkspace.listKeys().primarySharedKey : '' } - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -551,7 +551,7 @@ module vmss_dependencyAgentExtension 'extensions/deploy.bicep' = if (extensionDe typeHandlerVersion: contains(extensionDependencyAgentConfig, 'typeHandlerVersion') ? extensionDependencyAgentConfig.typeHandlerVersion : '9.5' autoUpgradeMinorVersion: contains(extensionDependencyAgentConfig, 'autoUpgradeMinorVersion') ? extensionDependencyAgentConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionDependencyAgentConfig, 'enableAutomaticUpgrade') ? extensionDependencyAgentConfig.enableAutomaticUpgrade : true - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -565,7 +565,7 @@ module vmss_networkWatcherAgentExtension 'extensions/deploy.bicep' = if (extensi typeHandlerVersion: contains(extensionNetworkWatcherAgentConfig, 'typeHandlerVersion') ? extensionNetworkWatcherAgentConfig.typeHandlerVersion : '1.4' autoUpgradeMinorVersion: contains(extensionNetworkWatcherAgentConfig, 'autoUpgradeMinorVersion') ? extensionNetworkWatcherAgentConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionNetworkWatcherAgentConfig, 'enableAutomaticUpgrade') ? extensionNetworkWatcherAgentConfig.enableAutomaticUpgrade : false - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -581,7 +581,7 @@ module vmss_desiredStateConfigurationExtension 'extensions/deploy.bicep' = if (e enableAutomaticUpgrade: contains(extensionDSCConfig, 'enableAutomaticUpgrade') ? extensionDSCConfig.enableAutomaticUpgrade : false settings: contains(extensionDSCConfig, 'settings') ? extensionDSCConfig.settings : {} protectedSettings: contains(extensionDSCConfig, 'protectedSettings') ? extensionDSCConfig.protectedSettings : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -599,7 +599,7 @@ module vmss_customScriptExtension 'extensions/deploy.bicep' = if (extensionCusto fileUris: [for fileData in extensionCustomScriptConfig.fileData: contains(fileData, 'storageAccountId') ? '${fileData.uri}?${listAccountSas(fileData.storageAccountId, '2019-04-01', accountSasProperties).accountSasToken}' : fileData.uri] } protectedSettings: contains(extensionCustomScriptConfig, 'protectedSettings') ? extensionCustomScriptConfig.protectedSettings : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ vmss_desiredStateConfigurationExtension @@ -618,7 +618,7 @@ module vmss_diskEncryptionExtension 'extensions/deploy.bicep' = if (extensionDis enableAutomaticUpgrade: contains(extensionDiskEncryptionConfig, 'enableAutomaticUpgrade') ? extensionDiskEncryptionConfig.enableAutomaticUpgrade : false forceUpdateTag: contains(extensionDiskEncryptionConfig, 'forceUpdateTag') ? extensionDiskEncryptionConfig.forceUpdateTag : '1.0' settings: extensionDiskEncryptionConfig.settings - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ vmss_customScriptExtension @@ -626,10 +626,10 @@ module vmss_diskEncryptionExtension 'extensions/deploy.bicep' = if (extensionDis ] } -resource vmss_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource vmss_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${vmss.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: vmss @@ -647,7 +647,7 @@ resource vmss_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- scope: vmss } -module vmss_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module vmss_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-VMSS-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md b/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md index f6233c9cec..231878b5a7 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md @@ -77,7 +77,7 @@ The following resources are required to be able to deploy this resource. | `gracePeriod` | string | `'PT30M'` | | The amount of time for which automatic repairs are suspended due to a state change on VM. The grace time starts after the state change has completed. This helps avoid premature or accidental repairs. The time duration should be specified in ISO 8601 format. The minimum allowed grace period is 30 minutes (PT30M). The maximum allowed grace period is 90 minutes (PT90M). | | `licenseType` | string | `''` | `[Windows_Client, Windows_Server, ]` | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maxBatchInstancePercent` | int | `20` | | The maximum percent of total virtual machine instances that will be upgraded simultaneously by the rolling upgrade in one batch. As this is a maximum, unhealthy instances in previous or future batches can cause the percentage of instances in a batch to decrease to ensure higher reliability. | | `maxPriceForLowPriorityVm` | string | `''` | | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | | `maxUnhealthyInstancePercent` | int | `20` | | The maximum percentage of the total virtual machine instances in the scale set that can be simultaneously unhealthy, either as a result of being upgraded, or by being found in an unhealthy state by the virtual machine health checks before the rolling upgrade aborts. This constraint will be checked prior to starting any batch. | @@ -1015,9 +1015,6 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl "name": { "value": "<>-scaleset-linux-001" }, - "lock": { - "value": "CanNotDelete" - }, "vmNamePrefix": { "value": "vmsslinvm" }, @@ -1211,7 +1208,6 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl name: '${uniqueString(deployment().name)}-virtualMachineScaleSets' params: { name: '<>-scaleset-linux-001' - lock: 'CanNotDelete' vmNamePrefix: 'vmsslinvm' skuName: 'Standard_B2s' skuCapacity: 1 @@ -1441,8 +1437,38 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl sku: '2016-Datacenter' version: 'latest' } - adminUsername: kv1.getSecret('adminUsername') - adminPassword: kv1.getSecret('adminPassword') + adminUsername: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'adminUsername' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] + adminPassword: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'adminPassword' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] nicConfigurations: [ { nicSuffix: '-nic01' @@ -1478,9 +1504,6 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl "name": { "value": "<>-scaleset-win-001" }, - "lock": { - "value": "CanNotDelete" - }, "vmNamePrefix": { "value": "vmsswinvm" }, @@ -1675,7 +1698,6 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl name: '${uniqueString(deployment().name)}-virtualMachineScaleSets' params: { name: '<>-scaleset-win-001' - lock: 'CanNotDelete' vmNamePrefix: 'vmsswinvm' skuName: 'Standard_B2s' skuCapacity: 1 @@ -1700,8 +1722,38 @@ module virtualMachineScaleSets './Microsoft.Compute/virtualMachineScaleSets/depl sku: '2016-Datacenter' version: 'latest' } - adminUsername: kv1.getSecret('adminUsername') - adminPassword: kv1.getSecret('adminPassword') + adminUsername: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'adminUsername' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] + adminPassword: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'adminPassword' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] nicConfigurations: [ { nicSuffix: '-nic01' diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_backup.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_backup.bicep new file mode 100644 index 0000000000..7e6865bc6b --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_backup.bicep @@ -0,0 +1,27 @@ +param backupResourceName string + +@allowed([ + 'AzureFileShareProtectedItem' + 'AzureVmWorkloadSAPAseDatabase' + 'AzureVmWorkloadSAPHanaDatabase' + 'AzureVmWorkloadSQLDatabase' + 'DPMProtectedItem' + 'GenericProtectedItem' + 'MabFileFolderProtectedItem' + 'Microsoft.ClassicCompute/virtualMachines' + 'Microsoft.Compute/virtualMachines' + 'Microsoft.Sql/servers/databases' +]) +param protectedItemType string +param backupPolicyId string +param sourceResourceId string + +resource backup 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems@2021-06-01' = { + name: backupResourceName + location: resourceGroup().location + properties: { + protectedItemType: protectedItemType + policyId: backupPolicyId + sourceResourceId: sourceResourceId + } +} diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_configurationProfileAssignment.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_configurationProfileAssignment.bicep new file mode 100644 index 0000000000..35df401f8f --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_configurationProfileAssignment.bicep @@ -0,0 +1,33 @@ +@description('Optional. The name of the configuration profile assignment') +param name string = 'default' + +@description('Required. The name of the VM to be associated') +param virtualMachineName string + +@description('Required. The configuration profile of automanage') +@allowed([ + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' +]) +param configurationProfile string + +resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-07-01' existing = { + name: virtualMachineName +} + +resource configurationProfileAssignment 'Microsoft.Automanage/configurationProfileAssignments@2021-04-30-preview' = { + name: name + properties: { + configurationProfile: configurationProfile + } + scope: virtualMachine +} + +@description('The resource ID of the configuration profile assignment') +output resourceId string = configurationProfileAssignment.id + +@description('The name of the configuration profile assignment') +output name string = configurationProfileAssignment.name + +@description('The resource group the configuration profile assignment was deployed into') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface.bicep index ba94af9262..e7b50c9edd 100644 --- a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface.bicep +++ b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface.bicep @@ -5,12 +5,9 @@ param tags object param enableIPForwarding bool = false param enableAcceleratedNetworking bool = false param dnsServers array = [] - -@description('Optional. The network security group (NSG) to attach to the network interface.') -param networkSecurityGroupResourceId string = '' - -param ipConfigurations array -param lock string = '' +param networkSecurityGroupId string = '' +param ipConfigurationArray array +param lock string param diagnosticStorageAccountId string param diagnosticLogsRetentionInDays int param diagnosticWorkspaceId string @@ -19,12 +16,7 @@ param diagnosticEventHubName string param pipdiagnosticMetricsToEnable array param pipdiagnosticLogCategoriesToEnable array param nicDiagnosticMetricsToEnable array - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true +param roleAssignments array @description('Optional. The name of the PIP diagnostic setting, if deployed.') param pipDiagnosticSettingsName string = '${virtualMachineName}-diagnosticSettings' @@ -32,71 +24,100 @@ param pipDiagnosticSettingsName string = '${virtualMachineName}-diagnosticSettin @description('Optional. The name of the NIC diagnostic setting, if deployed.') param nicDiagnosticSettingsName string = '${virtualMachineName}-diagnosticSettings' -var enableReferencedModulesTelemetry = false +var nicDiagnosticsMetrics = [for metric in nicDiagnosticMetricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] -module networkInterface_publicIPAddresses '../../../Microsoft.Network/publicIPAddresses/deploy.bicep' = [for (ipConfiguration, index) in ipConfigurations: if (contains(ipConfiguration, 'pipconfiguration')) { - name: '${deployment().name}-publicIP-${index}' +module networkInterface_publicIPConfigurations 'nested_networkInterface_publicIPAddress.bicep' = [for (ipConfiguration, index) in ipConfigurationArray: if (contains(ipConfiguration, 'pipconfiguration')) { + name: '${deployment().name}-PIP-${index}' params: { - name: '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}' + publicIPAddressName: '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}' + publicIPPrefixId: (contains(ipConfiguration.pipconfiguration, 'publicIPPrefixId') ? (!(empty(ipConfiguration.pipconfiguration.publicIPPrefixId)) ? ipConfiguration.pipconfiguration.publicIPPrefixId : '') : '') + publicIPAllocationMethod: (contains(ipConfiguration.pipconfiguration, 'publicIPAllocationMethod') ? (!(empty(ipConfiguration.pipconfiguration.publicIPAllocationMethod)) ? ipConfiguration.pipconfiguration.publicIPAllocationMethod : 'Static') : 'Static') + skuName: (contains(ipConfiguration.pipconfiguration, 'skuName') ? (!(empty(ipConfiguration.pipconfiguration.skuName)) ? ipConfiguration.pipconfiguration.skuName : 'Standard') : 'Standard') + skuTier: (contains(ipConfiguration.pipconfiguration, 'skuTier') ? (!(empty(ipConfiguration.pipconfiguration.skuTier)) ? ipConfiguration.pipconfiguration.skuTier : 'Regional') : 'Regional') + location: location + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays + diagnosticWorkspaceId: diagnosticWorkspaceId diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId diagnosticEventHubName: diagnosticEventHubName - diagnosticLogCategoriesToEnable: pipdiagnosticLogCategoriesToEnable - diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays - diagnosticMetricsToEnable: pipdiagnosticMetricsToEnable diagnosticSettingsName: pipDiagnosticSettingsName - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticWorkspaceId: diagnosticWorkspaceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: location + diagnosticMetricsToEnable: pipdiagnosticMetricsToEnable + diagnosticLogCategoriesToEnable: pipdiagnosticLogCategoriesToEnable lock: lock - publicIPAddressVersion: contains(ipConfiguration, 'publicIPAddressVersion') ? ipConfiguration.publicIPAddressVersion : 'IPv4' - publicIPAllocationMethod: contains(ipConfiguration, 'publicIPAllocationMethod') ? ipConfiguration.publicIPAllocationMethod : 'Static' - publicIPPrefixResourceId: contains(ipConfiguration, 'publicIPPrefixResourceId') ? ipConfiguration.publicIPPrefixResourceId : '' - roleAssignments: contains(ipConfiguration, 'roleAssignments') ? ipConfiguration.roleAssignments : [] - skuName: contains(ipConfiguration, 'skuName') ? ipConfiguration.skuName : 'Standard' - skuTier: contains(ipConfiguration, 'skuTier') ? ipConfiguration.skuTier : 'Regional' + roleAssignments: contains(ipConfiguration.pipconfiguration, 'roleAssignments') ? (!empty(ipConfiguration.pipconfiguration.roleAssignments) ? ipConfiguration.pipconfiguration.roleAssignments : []) : [] tags: tags - zones: contains(ipConfiguration, 'zones') ? ipConfiguration.zones : [] } }] -module networkInterface '../../../Microsoft.Network/networkInterfaces/deploy.bicep' = { - name: '${deployment().name}-NetworkInterface' - params: { - name: networkInterfaceName - ipConfigurations: [for (ipConfiguration, index) in ipConfigurations: { +resource networkInterface 'Microsoft.Network/networkInterfaces@2021-05-01' = { + name: networkInterfaceName + location: location + tags: tags + properties: { + enableIPForwarding: enableIPForwarding + enableAcceleratedNetworking: enableAcceleratedNetworking + dnsSettings: !empty(dnsServers) ? { + dnsServers: dnsServers + } : null + networkSecurityGroup: !empty(networkSecurityGroupId) ? { + id: networkSecurityGroupId + } : null + ipConfigurations: [for (ipConfiguration, index) in ipConfigurationArray: { name: !empty(ipConfiguration.name) ? ipConfiguration.name : null - primary: index == 0 - privateIPAllocationMethod: contains(ipConfiguration, 'privateIPAllocationMethod') ? (!empty(ipConfiguration.privateIPAllocationMethod) ? ipConfiguration.privateIPAllocationMethod : null) : null - privateIPAddress: contains(ipConfiguration, 'vmIPAddress') ? (!empty(ipConfiguration.vmIPAddress) ? ipConfiguration.vmIPAddress : null) : null - publicIPAddressResourceId: contains(ipConfiguration, 'pipconfiguration') ? resourceId('Microsoft.Network/publicIPAddresses', '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}') : null - subnetId: ipConfiguration.subnetId - loadBalancerBackendAddressPools: contains(ipConfiguration, 'loadBalancerBackendAddressPools') ? ipConfiguration.loadBalancerBackendAddressPools : null - applicationSecurityGroups: contains(ipConfiguration, 'applicationSecurityGroups') ? ipConfiguration.applicationSecurityGroups : null - applicationGatewayBackendAddressPools: contains(ipConfiguration, 'applicationGatewayBackendAddressPools') ? ipConfiguration.applicationGatewayBackendAddressPools : null - gatewayLoadBalancer: contains(ipConfiguration, 'gatewayLoadBalancer') ? ipConfiguration.gatewayLoadBalancer : null - loadBalancerInboundNatRules: contains(ipConfiguration, 'loadBalancerInboundNatRules') ? ipConfiguration.loadBalancerInboundNatRules : null - privateIPAddressVersion: contains(ipConfiguration, 'privateIPAddressVersion') ? ipConfiguration.privateIPAddressVersion : null - virtualNetworkTaps: contains(ipConfiguration, 'virtualNetworkTaps') ? ipConfiguration.virtualNetworkTaps : null + properties: { + primary: ((index == 0) ? true : false) + privateIPAllocationMethod: contains(ipConfiguration, 'privateIPAllocationMethod') ? (!empty(ipConfiguration.privateIPAllocationMethod) ? ipConfiguration.privateIPAllocationMethod : null) : null + privateIPAddress: contains(ipConfiguration, 'vmIPAddress') ? (!empty(ipConfiguration.vmIPAddress) ? ipConfiguration.vmIPAddress : null) : null + publicIPAddress: contains(ipConfiguration, 'pipconfiguration') ? json('{"id":"${resourceId('Microsoft.Network/publicIPAddresses', '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}')}"}') : null + subnet: { + id: ipConfiguration.subnetId + } + loadBalancerBackendAddressPools: contains(ipConfiguration, 'loadBalancerBackendAddressPools') ? ipConfiguration.loadBalancerBackendAddressPools : null + applicationSecurityGroups: contains(ipConfiguration, 'applicationSecurityGroups') ? ipConfiguration.applicationSecurityGroups : null + } }] - location: location - tags: tags - diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId - diagnosticEventHubName: diagnosticEventHubName - diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticMetricsToEnable: nicDiagnosticMetricsToEnable - diagnosticSettingsName: nicDiagnosticSettingsName - diagnosticWorkspaceId: diagnosticWorkspaceId - dnsServers: !empty(dnsServers) ? dnsServers : [] - enableAcceleratedNetworking: enableAcceleratedNetworking - enableDefaultTelemetry: enableReferencedModulesTelemetry - enableIPForwarding: enableIPForwarding - lock: lock - networkSecurityGroupResourceId: !empty(networkSecurityGroupResourceId) ? networkSecurityGroupResourceId : '' - roleAssignments: !empty(roleAssignments) ? roleAssignments : [] } dependsOn: [ - networkInterface_publicIPAddresses + networkInterface_publicIPConfigurations ] } + +resource networkInterface_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${networkInterface.name}-${lock}-lock' + properties: { + level: lock + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: networkInterface +} + +resource networkInterface_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { + name: nicDiagnosticSettingsName + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null + eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null + eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null + metrics: nicDiagnosticsMetrics + } + scope: networkInterface +} + +module networkInterface_rbac 'nested_networkInterface_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${deployment().name}-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: networkInterface.id + } +}] diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress.bicep new file mode 100644 index 0000000000..d8e3494d4a --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress.bicep @@ -0,0 +1,96 @@ +param publicIPAddressName string +param publicIPPrefixId string +param publicIPAllocationMethod string +param skuName string +param skuTier string +param location string +param diagnosticStorageAccountId string +param diagnosticLogsRetentionInDays int +param diagnosticWorkspaceId string +param diagnosticEventHubAuthorizationRuleId string +param diagnosticEventHubName string +param diagnosticMetricsToEnable array +param diagnosticLogCategoriesToEnable array +param lock string +param roleAssignments array +param tags object + +@description('Optional. The name of the diagnostic setting, if deployed.') +param diagnosticSettingsName string = '${publicIPAddressName}-diagnosticSettings' + +var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { + category: category + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' = { + name: publicIPAddressName + location: location + tags: tags + sku: { + name: skuName + tier: skuTier + } + properties: { + publicIPAllocationMethod: publicIPAllocationMethod + publicIPPrefix: !empty(publicIPPrefixId) ? { + id: publicIPPrefixId + } : null + } +} + +resource publicIpAddress_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${publicIpAddress.name}-${lock}-lock' + properties: { + level: lock + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: publicIpAddress +} + +resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { + name: diagnosticSettingsName + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null + eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null + eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: publicIpAddress +} + +module publicIpAddress_rbac 'nested_networkInterface_publicIPAddress_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${deployment().name}-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: publicIpAddress.id + } +}] + +@description('The name of the resource group the public IP address was deployed.') +output resourceGroupName string = resourceGroup().name + +@description('The name of the public IP address.') +output name string = publicIpAddress.name + +@description('The resource ID of the public IP address.') +output resourceId string = publicIpAddress.id diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress_rbac.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress_rbac.bicep new file mode 100644 index 0000000000..e9f7dacb77 --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress_rbac.bicep @@ -0,0 +1,61 @@ +@sys.description('Required. The IDs of the principals to assign the role to.') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') + 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Microsoft OneAsset Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd1bb084-1503-4bd2-99c0-630220046786') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') + 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') + 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') +} + +resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' existing = { + name: last(split(resourceId, '/')) +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: { + name: guid(publicIpAddress.id, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: publicIpAddress +}] diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_rbac.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_rbac.bicep new file mode 100644 index 0000000000..dd4db24c7a --- /dev/null +++ b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_rbac.bicep @@ -0,0 +1,61 @@ +@sys.description('Required. The IDs of the principals to assign the role to.') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') + 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Microsoft OneAsset Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd1bb084-1503-4bd2-99c0-630220046786') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') + 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') + 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') +} + +resource networkInterface 'Microsoft.Network/networkInterfaces@2021-03-01' existing = { + name: last(split(resourceId, '/')) +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: { + name: guid(networkInterface.id, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: networkInterface +}] diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Compute/virtualMachines/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Compute/virtualMachines/.bicep/nested_rbac.bicep index 71948a0ce9..0e40a5298b 100644 --- a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_rbac.bicep @@ -55,7 +55,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: virtualMachine }] diff --git a/arm/Microsoft.Compute/virtualMachines/.parameters/linux.autmg.parameters.json b/arm/Microsoft.Compute/virtualMachines/.parameters/linux.autmg.parameters.json deleted file mode 100644 index 0a90e2dfde..0000000000 --- a/arm/Microsoft.Compute/virtualMachines/.parameters/linux.autmg.parameters.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-vm-linux-autmg-01" - }, - "osType": { - "value": "Linux" - }, - "imageReference": { - "value": { - "publisher": "Canonical", - "offer": "UbuntuServer", - "sku": "18.04-LTS", - "version": "latest" - } - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "vmSize": { - "value": "Standard_B12ms" - }, - "adminUsername": { - "value": "localAdminUser" - }, - "disablePasswordAuthentication": { - "value": true - }, - "publicKeys": { - "value": [ - { - "path": "/home/localAdminUser/.ssh/authorized_keys", - "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure" - } - ] - }, - "nicConfigurations": { - "value": [ - { - "nicSuffix": "-nic-01", - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01" - } - } - ] - } - ] - }, - "configurationProfile": { - "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" - } - } -} diff --git a/arm/Microsoft.Compute/virtualMachines/.parameters/linux.parameters.json b/arm/Microsoft.Compute/virtualMachines/.parameters/linux.parameters.json index 1c42eef982..8938e6f7a3 100644 --- a/arm/Microsoft.Compute/virtualMachines/.parameters/linux.parameters.json +++ b/arm/Microsoft.Compute/virtualMachines/.parameters/linux.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-vm-linux-01" }, - "lock": { - "value": "CanNotDelete" - }, "systemAssignedIdentity": { "value": true }, @@ -213,6 +210,11 @@ "value": { "commandToExecute": "sudo apt-get update" } + }, + "configurationProfileAssignments": { + "value": [ + "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" + ] } } } diff --git a/arm/Microsoft.Compute/virtualMachines/.parameters/windows.autmg.parameters.json b/arm/Microsoft.Compute/virtualMachines/.parameters/windows.autmg.parameters.json deleted file mode 100644 index 29bbcb51ad..0000000000 --- a/arm/Microsoft.Compute/virtualMachines/.parameters/windows.autmg.parameters.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-vm-win-03" - }, - "imageReference": { - "value": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2019-Datacenter", - "version": "latest" - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_B12ms" - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "adminUsername": { - "value": "localAdminUser" - }, - "adminPassword": { - "reference": { - "keyVault": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" - }, - "secretName": "adminPassword" - } - }, - "nicConfigurations": { - "value": [ - { - "nicSuffix": "-nic-01", - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001" - } - ] - } - ] - }, - "configurationProfile": { - "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" - } - } -} diff --git a/arm/Microsoft.Compute/virtualMachines/.parameters/windows.min.parameters.json b/arm/Microsoft.Compute/virtualMachines/.parameters/windows.min.parameters.json index d181987411..499379abad 100644 --- a/arm/Microsoft.Compute/virtualMachines/.parameters/windows.min.parameters.json +++ b/arm/Microsoft.Compute/virtualMachines/.parameters/windows.min.parameters.json @@ -2,14 +2,11 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "name": { - "value": "<>-vm-win-02" - }, "imageReference": { "value": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", - "sku": "2022-datacenter-azure-edition", + "sku": "2016-Datacenter", "version": "latest" } }, diff --git a/arm/Microsoft.Compute/virtualMachines/.parameters/windows.parameters.json b/arm/Microsoft.Compute/virtualMachines/.parameters/windows.parameters.json index 3a3de41959..632de7554a 100644 --- a/arm/Microsoft.Compute/virtualMachines/.parameters/windows.parameters.json +++ b/arm/Microsoft.Compute/virtualMachines/.parameters/windows.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-vm-win-01" }, - "lock": { - "value": "CanNotDelete" - }, "encryptionAtHost": { "value": false }, @@ -15,7 +12,7 @@ "value": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", - "sku": "2019-Datacenter", + "sku": "2016-Datacenter", "version": "latest" } }, @@ -230,6 +227,11 @@ "value": { "commandToExecute": "powershell -ExecutionPolicy Unrestricted -Command \"& .\\scriptExtensionMasterInstaller.ps1\"" } + }, + "configurationProfileAssignments": { + "value": [ + "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" + ] } } } diff --git a/arm/Microsoft.Compute/virtualMachines/deploy.bicep b/arm/Microsoft.Compute/virtualMachines/deploy.bicep index afc563dc2d..dc869f2e37 100644 --- a/arm/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachines/deploy.bicep @@ -240,12 +240,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -287,13 +287,8 @@ param additionalUnattendContent array = [] @description('Optional. Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object.') param winRM object = {} -@description('Required. The configuration profile of automanage.') -@allowed([ - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest' - '' -]) -param configurationProfile string = '' +@description('Optional. Any VM configuration profile assignments.') +param configurationProfileAssignments array = [] var vmComputerNameTransformed = vmComputerNamesTransformation == 'uppercase' ? toUpper(name) : (vmComputerNamesTransformation == 'lowercase' ? toLower(name) : name) @@ -335,7 +330,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -353,15 +348,14 @@ module virtualMachine_nic '.bicep/nested_networkInterface.bicep' = [for (nicConf name: '${uniqueString(deployment().name, location)}-VM-Nic-${index}' params: { networkInterfaceName: '${name}${nicConfiguration.nicSuffix}' - enableDefaultTelemetry: enableDefaultTelemetry virtualMachineName: name location: location tags: tags enableIPForwarding: contains(nicConfiguration, 'enableIPForwarding') ? (!empty(nicConfiguration.enableIPForwarding) ? nicConfiguration.enableIPForwarding : false) : false enableAcceleratedNetworking: contains(nicConfiguration, 'enableAcceleratedNetworking') ? nicConfiguration.enableAcceleratedNetworking : true dnsServers: contains(nicConfiguration, 'dnsServers') ? (!empty(nicConfiguration.dnsServers) ? nicConfiguration.dnsServers : []) : [] - networkSecurityGroupResourceId: contains(nicConfiguration, 'networkSecurityGroupResourceId') ? nicConfiguration.networkSecurityGroupResourceId : '' - ipConfigurations: nicConfiguration.ipConfigurations + networkSecurityGroupId: contains(nicConfiguration, 'networkSecurityGroupId') ? (!empty(nicConfiguration.networkSecurityGroupId) ? nicConfiguration.networkSecurityGroupId : '') : '' + ipConfigurationArray: nicConfiguration.ipConfigurations lock: lock diagnosticStorageAccountId: diagnosticStorageAccountId diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays @@ -465,13 +459,13 @@ resource virtualMachine 'Microsoft.Compute/virtualMachines@2021-07-01' = { ] } -resource vm_configurationProfileAssignment 'Microsoft.Automanage/configurationProfileAssignments@2021-04-30-preview' = if (!empty(configurationProfile)) { - name: 'default' - properties: { - configurationProfile: configurationProfile +module vm_configurationProfileAssignment '.bicep/nested_configurationProfileAssignment.bicep' = [for (configurationProfileAssignment, index) in configurationProfileAssignments: { + name: '${uniqueString(deployment().name, location)}-VM-ConfigurationProfileAssignment-${index}' + params: { + virtualMachineName: virtualMachine.name + configurationProfile: configurationProfileAssignment } - scope: virtualMachine -} +}] module vm_domainJoinExtension 'extensions/deploy.bicep' = if (extensionDomainJoinConfig.enabled) { name: '${uniqueString(deployment().name, location)}-VM-DomainJoin' @@ -487,7 +481,7 @@ module vm_domainJoinExtension 'extensions/deploy.bicep' = if (extensionDomainJoi protectedSettings: { Password: extensionDomainJoinPassword } - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -502,7 +496,7 @@ module vm_microsoftAntiMalwareExtension 'extensions/deploy.bicep' = if (extensio autoUpgradeMinorVersion: contains(extensionAntiMalwareConfig, 'autoUpgradeMinorVersion') ? extensionAntiMalwareConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionAntiMalwareConfig, 'enableAutomaticUpgrade') ? extensionAntiMalwareConfig.enableAutomaticUpgrade : false settings: extensionAntiMalwareConfig.settings - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -527,7 +521,7 @@ module vm_microsoftMonitoringAgentExtension 'extensions/deploy.bicep' = if (exte protectedSettings: { workspaceKey: !empty(monitoringWorkspaceId) ? vm_logAnalyticsWorkspace.listKeys().primarySharedKey : '' } - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -541,7 +535,7 @@ module vm_dependencyAgentExtension 'extensions/deploy.bicep' = if (extensionDepe typeHandlerVersion: contains(extensionDependencyAgentConfig, 'typeHandlerVersion') ? extensionDependencyAgentConfig.typeHandlerVersion : '9.5' autoUpgradeMinorVersion: contains(extensionDependencyAgentConfig, 'autoUpgradeMinorVersion') ? extensionDependencyAgentConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionDependencyAgentConfig, 'enableAutomaticUpgrade') ? extensionDependencyAgentConfig.enableAutomaticUpgrade : true - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -555,7 +549,7 @@ module vm_networkWatcherAgentExtension 'extensions/deploy.bicep' = if (extension typeHandlerVersion: contains(extensionNetworkWatcherAgentConfig, 'typeHandlerVersion') ? extensionNetworkWatcherAgentConfig.typeHandlerVersion : '1.4' autoUpgradeMinorVersion: contains(extensionNetworkWatcherAgentConfig, 'autoUpgradeMinorVersion') ? extensionNetworkWatcherAgentConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionNetworkWatcherAgentConfig, 'enableAutomaticUpgrade') ? extensionNetworkWatcherAgentConfig.enableAutomaticUpgrade : false - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -571,7 +565,7 @@ module vm_desiredStateConfigurationExtension 'extensions/deploy.bicep' = if (ext enableAutomaticUpgrade: contains(extensionDSCConfig, 'enableAutomaticUpgrade') ? extensionDSCConfig.enableAutomaticUpgrade : false settings: contains(extensionDSCConfig, 'settings') ? extensionDSCConfig.settings : {} protectedSettings: contains(extensionDSCConfig, 'protectedSettings') ? extensionDSCConfig.protectedSettings : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -589,7 +583,7 @@ module vm_customScriptExtension 'extensions/deploy.bicep' = if (extensionCustomS fileUris: [for fileData in extensionCustomScriptConfig.fileData: contains(fileData, 'storageAccountId') ? '${fileData.uri}?${listAccountSas(fileData.storageAccountId, '2019-04-01', accountSasProperties).accountSasToken}' : fileData.uri] } protectedSettings: extensionCustomScriptProtectedSetting - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ vm_desiredStateConfigurationExtension @@ -608,7 +602,7 @@ module vm_diskEncryptionExtension 'extensions/deploy.bicep' = if (extensionDiskE enableAutomaticUpgrade: contains(extensionDiskEncryptionConfig, 'enableAutomaticUpgrade') ? extensionDiskEncryptionConfig.enableAutomaticUpgrade : false forceUpdateTag: contains(extensionDiskEncryptionConfig, 'forceUpdateTag') ? extensionDiskEncryptionConfig.forceUpdateTag : '1.0' settings: extensionDiskEncryptionConfig.settings - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ vm_customScriptExtension @@ -616,16 +610,13 @@ module vm_diskEncryptionExtension 'extensions/deploy.bicep' = if (extensionDiskE ] } -module virtualMachine_backup '../../Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/deploy.bicep' = if (!empty(backupVaultName)) { +module virtualMachine_backup '.bicep/nested_backup.bicep' = if (!empty(backupVaultName)) { name: '${uniqueString(deployment().name, location)}-VM-Backup' params: { - name: 'vm;iaasvmcontainerv2;${resourceGroup().name};${virtualMachine.name}' - policyId: az.resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', backupVaultName, backupPolicyName) + backupResourceName: '${backupVaultName}/Azure/iaasvmcontainer;iaasvmcontainerv2;${resourceGroup().name};${virtualMachine.name}/vm;iaasvmcontainerv2;${resourceGroup().name};${virtualMachine.name}' protectedItemType: 'Microsoft.Compute/virtualMachines' - protectionContainerName: 'iaasvmcontainer;iaasvmcontainerv2;${resourceGroup().name};${virtualMachine.name}' - recoveryVaultName: backupVaultName + backupPolicyId: az.resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', backupVaultName, backupPolicyName) sourceResourceId: virtualMachine.id - enableDefaultTelemetry: enableReferencedModulesTelemetry } scope: az.resourceGroup(backupVaultResourceGroup) dependsOn: [ @@ -639,16 +630,16 @@ module virtualMachine_backup '../../Microsoft.RecoveryServices/vaults/protection ] } -resource virtualMachine_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource virtualMachine_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${virtualMachine.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: virtualMachine } -module virtualMachine_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module virtualMachine_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-VM-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Compute/virtualMachines/readme.md b/arm/Microsoft.Compute/virtualMachines/readme.md index 3d4aa372af..5859e136e2 100644 --- a/arm/Microsoft.Compute/virtualMachines/readme.md +++ b/arm/Microsoft.Compute/virtualMachines/readme.md @@ -6,7 +6,6 @@ This module deploys one Virtual Machine with one or multiple nics and optionally - [Resource Types](#Resource-Types) - [Parameters](#Parameters) -- [Considerations](#Considerations) - [Outputs](#Outputs) - [Deployment examples](#Deployment-examples) @@ -27,15 +26,14 @@ This module deploys one Virtual Machine with one or multiple nics and optionally ## Parameters **Required parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `adminUsername` | secureString | | | Administrator username. | -| `configurationProfile` | string | `''` | `[/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction, /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest, ]` | The configuration profile of automanage. | -| `imageReference` | object | | | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | -| `nicConfigurations` | array | | | Configures NICs and PIPs. | -| `osDisk` | object | | | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `osType` | string | | `[Windows, Linux]` | The chosen OS type. | -| `vmSize` | string | | | Specifies the size for the VMs. | +| Parameter Name | Type | Allowed Values | Description | +| :-- | :-- | :-- | :-- | +| `adminUsername` | secureString | | Administrator username. | +| `imageReference` | object | | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | +| `nicConfigurations` | array | | Configures NICs and PIPs. | +| `osDisk` | object | | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| `osType` | string | `[Windows, Linux]` | The chosen OS type. | +| `vmSize` | string | | Specifies the size for the VMs. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | @@ -52,6 +50,7 @@ This module deploys one Virtual Machine with one or multiple nics and optionally | `bootDiagnosticStorageAccountName` | string | `''` | | Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. | | `bootDiagnosticStorageAccountUri` | string | `[format('.blob.{0}/', environment().suffixes.storage)]` | | Storage account boot diagnostic base URI. | | `certificatesToBeInstalled` | array | `[]` | | Specifies set of certificates that should be installed onto the virtual machine. | +| `configurationProfileAssignments` | array | `[]` | | Any VM configuration profile assignments. | | `customData` | string | `''` | | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | | `dataDisks` | array | `[]` | | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | | `dedicatedHostId` | string | `''` | | Specifies resource ID about the dedicated host that the virtual machine resides in. | @@ -78,7 +77,7 @@ This module deploys one Virtual Machine with one or multiple nics and optionally | `extensionNetworkWatcherAgentConfig` | object | `{object}` | | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | | `licenseType` | string | `''` | `[Windows_Client, Windows_Server, ]` | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maxPriceForLowPriorityVm` | string | `''` | | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | | `monitoringWorkspaceId` | string | `''` | | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | | `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | @@ -981,13 +980,6 @@ userAssignedIdentities: {

-## Considerations - -Enabling automanage triggers the creation of additional resources outside of the specific virtual machine deployment, such as: -- an `Automanage-Automate-` in the same Virtual Machine Resource Group and linking to the log analytics workspace leveraged by Azure Security Center. -- a `DefaultResourceGroup-` rg hosting a recovery services vault `DefaultBackupVault-` where vm backups are stored -For further details on automanage please refer to [Automanage virtual machines](https://docs.microsoft.com/en-us/azure/automanage/automanage-virtual-machines). - ## Outputs | Output Name | Type | Description | @@ -1006,134 +998,6 @@ For further details on automanage please refer to [Automanage virtual machines](

via JSON Parameter file -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-vm-linux-autmg-01" - }, - "osType": { - "value": "Linux" - }, - "imageReference": { - "value": { - "publisher": "Canonical", - "offer": "UbuntuServer", - "sku": "18.04-LTS", - "version": "latest" - } - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "vmSize": { - "value": "Standard_B12ms" - }, - "adminUsername": { - "value": "localAdminUser" - }, - "disablePasswordAuthentication": { - "value": true - }, - "publicKeys": { - "value": [ - { - "path": "/home/localAdminUser/.ssh/authorized_keys", - "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure" - } - ] - }, - "nicConfigurations": { - "value": [ - { - "nicSuffix": "-nic-01", - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001", - "pipConfiguration": { - "publicIpNameSuffix": "-pip-01" - } - } - ] - } - ] - }, - "configurationProfile": { - "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" - } - } -} - -``` - - - -
- -via Bicep module - -```bicep -module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-virtualMachines' - params: { - name: '<>-vm-linux-autmg-01' - osType: 'Linux' - imageReference: { - publisher: 'Canonical' - offer: 'UbuntuServer' - sku: '18.04-LTS' - version: 'latest' - } - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' - } - } - vmSize: 'Standard_B12ms' - adminUsername: 'localAdminUser' - disablePasswordAuthentication: true - publicKeys: [ - { - path: '/home/localAdminUser/.ssh/authorized_keys' - keyData: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdOir5eO28EBwxU0Dyra7g9h0HUXDyMNFp2z8PhaTUQgHjrimkMxjYRwEOG/lxnYL7+TqZk+HcPTfbZOunHBw0Wx2CITzILt6531vmIYZGfq5YyYXbxZa5MON7L/PVivoRlPj5Z/t4RhqMhyfR7EPcZ516LJ8lXPTo8dE/bkOCS+kFBEYHvPEEKAyLs19sRcK37SeHjpX04zdg62nqtuRr00Tp7oeiTXA1xn5K5mxeAswotmd8CU0lWUcJuPBWQedo649b+L2cm52kTncOBI6YChAeyEc1PDF0Tn9FmpdOWKtI9efh+S3f8qkcVEtSTXoTeroBd31nzjAunMrZeM8Ut6dre+XeQQIjT7I8oEm+ZkIuIyq0x2fls8JXP2YJDWDqu8v1+yLGTQ3Z9XVt2lMti/7bIgYxS0JvwOr5n5L4IzKvhb4fm13LLDGFa3o7Nsfe3fPb882APE0bLFCmfyIeiPh7go70WqZHakpgIr6LCWTyePez9CsI/rfWDb6eAM8= generated-by-azure' - } - ] - nicConfigurations: [ - { - nicSuffix: '-nic-01' - ipConfigurations: [ - { - name: 'ipconfig01' - subnetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001' - pipConfiguration: { - publicIpNameSuffix: '-pip-01' - } - } - ] - } - ] - configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - } -``` - -
-

- -

Example 2

- -
- -via JSON Parameter file - ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", @@ -1252,7 +1116,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = {

-

Example 3

+

Example 2

@@ -1266,9 +1130,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "name": { "value": "<>-vm-linux-01" }, - "lock": { - "value": "CanNotDelete" - }, "systemAssignedIdentity": { "value": true }, @@ -1474,6 +1335,11 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "value": { "commandToExecute": "sudo apt-get update" } + }, + "configurationProfileAssignments": { + "value": [ + "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" + ] } } } @@ -1491,7 +1357,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { name: '${uniqueString(deployment().name)}-virtualMachines' params: { name: '<>-vm-linux-01' - lock: 'CanNotDelete' systemAssignedIdentity: true userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} @@ -1638,13 +1503,16 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { extensionCustomScriptProtectedSetting: { commandToExecute: 'sudo apt-get update' } + configurationProfileAssignments: [ + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' + ] } ```

-

Example 4

+

Example 3

@@ -1655,14 +1523,11 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "name": { - "value": "<>-vm-win-03" - }, "imageReference": { "value": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", - "sku": "2019-Datacenter", + "sku": "2016-Datacenter", "version": "latest" } }, @@ -1703,9 +1568,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { ] } ] - }, - "configurationProfile": { - "value": "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" } } } @@ -1727,11 +1589,10 @@ resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = { module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { name: '${uniqueString(deployment().name)}-virtualMachines' params: { - name: '<>-vm-win-03' imageReference: { publisher: 'MicrosoftWindowsServer' offer: 'WindowsServer' - sku: '2019-Datacenter' + sku: '2016-Datacenter' version: 'latest' } osType: 'Windows' @@ -1743,122 +1604,22 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { } } adminUsername: 'localAdminUser' - adminPassword: kv1.getSecret('adminPassword') - nicConfigurations: [ + adminPassword: [ { - nicSuffix: '-nic-01' - ipConfigurations: [ - { - name: 'ipconfig01' - subnetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001' + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' } - ] - } - ] - configurationProfile: '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' - } -``` - -
-

- -

Example 5

- -
- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-vm-win-02" - }, - "imageReference": { - "value": { - "publisher": "MicrosoftWindowsServer", - "offer": "WindowsServer", - "sku": "2022-datacenter-azure-edition", - "version": "latest" - } - }, - "osType": { - "value": "Windows" - }, - "vmSize": { - "value": "Standard_B12ms" - }, - "osDisk": { - "value": { - "diskSizeGB": "128", - "managedDisk": { - "storageAccountType": "Premium_LRS" - } - } - }, - "adminUsername": { - "value": "localAdminUser" - }, - "adminPassword": { - "reference": { - "keyVault": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" - }, - "secretName": "adminPassword" - } - }, - "nicConfigurations": { - "value": [ - { - "nicSuffix": "-nic-01", - "ipConfigurations": [ - { - "name": "ipconfig01", - "subnetId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001" - } - ] - } - ] + secretName: 'adminPassword' } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = { - name: 'adp-<>-az-kv-x-001' - scope: resourceGroup('<>','validation-rg') -} - -module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-virtualMachines' - params: { - name: '<>-vm-win-02' - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2022-datacenter-azure-edition' - version: 'latest' - } - osType: 'Windows' - vmSize: 'Standard_B12ms' - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'Premium_LRS' + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true } - } - adminUsername: 'localAdminUser' - adminPassword: kv1.getSecret('adminPassword') + ] nicConfigurations: [ { nicSuffix: '-nic-01' @@ -1876,7 +1637,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = {

-

Example 6

+

Example 4

@@ -1890,9 +1651,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "name": { "value": "<>-vm-win-01" }, - "lock": { - "value": "CanNotDelete" - }, "encryptionAtHost": { "value": false }, @@ -1900,7 +1658,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "value": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", - "sku": "2019-Datacenter", + "sku": "2016-Datacenter", "version": "latest" } }, @@ -2115,6 +1873,11 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "value": { "commandToExecute": "powershell -ExecutionPolicy Unrestricted -Command \"& .\\scriptExtensionMasterInstaller.ps1\"" } + }, + "configurationProfileAssignments": { + "value": [ + "/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction" + ] } } } @@ -2137,12 +1900,11 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { name: '${uniqueString(deployment().name)}-virtualMachines' params: { name: '<>-vm-win-01' - lock: 'CanNotDelete' encryptionAtHost: false imageReference: { publisher: 'MicrosoftWindowsServer' offer: 'WindowsServer' - sku: '2019-Datacenter' + sku: '2016-Datacenter' version: 'latest' } osType: 'Windows' @@ -2178,7 +1940,22 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { ] availabilityZone: 2 adminUsername: 'localAdminUser' - adminPassword: kv1.getSecret('adminPassword') + adminPassword: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'adminPassword' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] nicConfigurations: [ { nicSuffix: '-nic-01' @@ -2296,6 +2073,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { extensionCustomScriptProtectedSetting: { commandToExecute: 'powershell -ExecutionPolicy Unrestricted -Command \'& .\\scriptExtensionMasterInstaller.ps1\'' } + configurationProfileAssignments: [ + '/providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction' + ] } ``` diff --git a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.json b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.json index cdbb1078cd..1fdcb27dbd 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.json +++ b/arm/Microsoft.ContainerInstance/containerGroups/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-acg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "containerName": { "value": "<>-az-aci-x-001" }, diff --git a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep index 6ba3d5db01..0424d6f403 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep +++ b/arm/Microsoft.ContainerInstance/containerGroups/deploy.bicep @@ -40,12 +40,12 @@ param environmentVariables array = [] param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -111,11 +111,11 @@ resource containergroup 'Microsoft.ContainerInstance/containerGroups@2021-03-01' } } -resource containergroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource containergroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${containergroup.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: containergroup } diff --git a/arm/Microsoft.ContainerInstance/containerGroups/readme.md b/arm/Microsoft.ContainerInstance/containerGroups/readme.md index e224724a17..15e9373b24 100644 --- a/arm/Microsoft.ContainerInstance/containerGroups/readme.md +++ b/arm/Microsoft.ContainerInstance/containerGroups/readme.md @@ -36,7 +36,7 @@ The top-level resource in Azure Container Instances is the container group. A co | `imageRegistryCredentials` | array | `[]` | | The image registry credentials by which the container group is created from. | | `ipAddressType` | string | `'Public'` | | Specifies if the IP is exposed to the public internet or private VNET. - Public or Private. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `memoryInGB` | int | `2` | | The amount of memory to allocate to the container in gigabytes. | | `osType` | string | `'Linux'` | | The operating system type required by the containers in the container group. - Windows or Linux. | | `ports` | array | `[System.Collections.Hashtable]` | | Port to open on the container and the public IP address. | @@ -184,9 +184,6 @@ userAssignedIdentities: { "name": { "value": "<>-az-acg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "containerName": { "value": "<>-az-aci-x-001" }, @@ -229,7 +226,6 @@ module containerGroups './Microsoft.ContainerInstance/containerGroups/deploy.bic name: '${uniqueString(deployment().name)}-containerGroups' params: { name: '<>-az-acg-x-001' - lock: 'CanNotDelete' containerName: '<>-az-aci-x-001' image: 'mcr.microsoft.com/azuredocs/aci-helloworld' ports: [ diff --git a/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_privateEndpoints.bicep b/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_privateEndpoints.bicep new file mode 100644 index 0000000000..9deaf8c02f --- /dev/null +++ b/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_privateEndpoints.bicep @@ -0,0 +1,49 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? privateEndpointObj.privateDnsZoneResourceIds : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateEndpoint_privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint.name}/default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } +} diff --git a/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.ContainerRegistry/registries/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.ContainerRegistry/registries/.bicep/nested_rbac.bicep index 4536d502de..9bff2ff283 100644 --- a/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_rbac.bicep @@ -56,7 +56,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: registry }] diff --git a/arm/Microsoft.ContainerRegistry/registries/.parameters/parameters.json b/arm/Microsoft.ContainerRegistry/registries/.parameters/parameters.json index 970dd297eb..c900c68be8 100644 --- a/arm/Microsoft.ContainerRegistry/registries/.parameters/parameters.json +++ b/arm/Microsoft.ContainerRegistry/registries/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>azacrx001" }, - "lock": { - "value": "CanNotDelete" - }, "acrAdminUserEnabled": { "value": false }, @@ -31,14 +28,6 @@ } ] }, - "webhooks": { - "value": [ - { - "name": "<>azacrx001webhook", - "serviceUri": "https://www.contoso.com/webhook" - } - ] - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.ContainerRegistry/registries/deploy.bicep b/arm/Microsoft.ContainerRegistry/registries/deploy.bicep index c0023deae6..8813fa3c8c 100644 --- a/arm/Microsoft.ContainerRegistry/registries/deploy.bicep +++ b/arm/Microsoft.ContainerRegistry/registries/deploy.bicep @@ -97,16 +97,13 @@ param zoneRedundancy string = 'Disabled' @description('Optional. All replications to create.') param replications array = [] -@description('Optional. All webhooks to create.') -param webhooks array = [] - @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -184,7 +181,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -248,36 +245,15 @@ module registry_replications 'replications/deploy.bicep' = [for (replication, in regionEndpointEnabled: contains(replication, 'regionEndpointEnabled') ? replication.regionEndpointEnabled : true zoneRedundancy: contains(replication, 'zoneRedundancy') ? replication.zoneRedundancy : 'Disabled' tags: contains(replication, 'tags') ? replication.tags : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -module registry_webhooks 'webhooks/deploy.bicep' = [for (webhook, index) in webhooks: { - name: '${uniqueString(deployment().name, location)}-Registry-Webhook-${index}' - params: { - name: webhook.name - registryName: registry.name - location: contains(webhook, 'location') ? webhook.location : location - action: contains(webhook, 'action') ? webhook.action : [ - 'chart_delete' - 'chart_push' - 'delete' - 'push' - 'quarantine' - ] - customHeaders: contains(webhook, 'customHeaders') ? webhook.customHeaders : {} - scope: contains(webhook, 'scope') ? webhook.scope : '' - status: contains(webhook, 'status') ? webhook.status : 'enabled' - serviceUri: webhook.serviceUri - tags: contains(webhook, 'tags') ? webhook.tags : {} + enableDefaultTelemetry: enableChildTelemetry } }] -resource registry_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource registry_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${registry.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: registry } @@ -295,7 +271,7 @@ resource registry_diagnosticSettingName 'Microsoft.Insights/diagnosticsettings@2 scope: registry } -module registry_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module registry_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-ContainerRegistry-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -306,23 +282,13 @@ module registry_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignmen } }] -module registry_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module registry_privateEndpoints '.bicep/nested_privateEndpoints.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-ContainerRegistry-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(registry.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: registry.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: registry.id + privateEndpointVnetLocation: empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + privateEndpointObj: privateEndpoint + tags: tags } }] diff --git a/arm/Microsoft.ContainerRegistry/registries/readme.md b/arm/Microsoft.ContainerRegistry/registries/readme.md index 85ed8a0039..185d02a5f8 100644 --- a/arm/Microsoft.ContainerRegistry/registries/readme.md +++ b/arm/Microsoft.ContainerRegistry/registries/readme.md @@ -17,10 +17,9 @@ Azure Container Registry is a managed, private Docker registry service based on | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.ContainerRegistry/registries` | [2021-09-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-09-01/registries) | | `Microsoft.ContainerRegistry/registries/replications` | [2021-12-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/replications) | -| `Microsoft.ContainerRegistry/registries/webhooks` | [2021-12-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/webhooks) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -48,7 +47,7 @@ Azure Container Registry is a managed, private Docker registry service based on | `exportPolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | The value that indicates whether the export policy is enabled or not. | | `keyVaultProperties` | object | `{object}` | | Identity which will be used to access key vault and Key vault uri to access the encryption key. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `networkRuleBypassOptions` | string | `'AzureServices'` | | Whether to allow trusted Azure services to access a network restricted registry. Not relevant in case of public access. - AzureServices or None. | | `networkRuleSetDefaultAction` | string | `'Deny'` | `[Allow, Deny]` | The default action of allow or deny when no other rules match. | | `networkRuleSetIpRules` | array | `[]` | | The IP ACL rules. | @@ -63,7 +62,6 @@ Azure Container Registry is a managed, private Docker registry service based on | `tags` | object | `{object}` | | Tags of the resource. | | `trustPolicyStatus` | string | `'disabled'` | `[disabled, enabled]` | The value that indicates whether the trust policy is enabled or not. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | -| `webhooks` | _[webhooks](webhooks/readme.md)_ array | `[]` | | All webhooks to create. | | `zoneRedundancy` | string | `'Disabled'` | `[Disabled, Enabled]` | Whether or not zone redundancy is enabled for this container registry. | @@ -375,9 +373,6 @@ module registries './Microsoft.ContainerRegistry/registries/deploy.bicep' = { "name": { "value": "<>azacrx001" }, - "lock": { - "value": "CanNotDelete" - }, "acrAdminUserEnabled": { "value": false }, @@ -401,14 +396,6 @@ module registries './Microsoft.ContainerRegistry/registries/deploy.bicep' = { } ] }, - "webhooks": { - "value": [ - { - "name": "<>azacrx001webhook", - "serviceUri": "https://www.contoso.com/webhook" - } - ] - }, "roleAssignments": { "value": [ { @@ -466,7 +453,6 @@ module registries './Microsoft.ContainerRegistry/registries/deploy.bicep' = { name: '${uniqueString(deployment().name)}-registries' params: { name: '<>azacrx001' - lock: 'CanNotDelete' acrAdminUserEnabled: false acrSku: 'Premium' exportPolicyStatus: 'enabled' @@ -478,12 +464,6 @@ module registries './Microsoft.ContainerRegistry/registries/deploy.bicep' = { location: 'northeurope' } ] - webhooks: [ - { - name: '<>azacrx001webhook' - serviceUri: 'https://www.contoso.com/webhook' - } - ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.ContainerRegistry/registries/webhooks/deploy.bicep b/arm/Microsoft.ContainerRegistry/registries/webhooks/deploy.bicep deleted file mode 100644 index a05764cfbe..0000000000 --- a/arm/Microsoft.ContainerRegistry/registries/webhooks/deploy.bicep +++ /dev/null @@ -1,92 +0,0 @@ -@description('Conditional. The name of the parent registry. Required if the template is used in a standalone deployment.') -param registryName string - -@description('Optional. The name of the registry webhook.') -@minLength(5) -@maxLength(50) -param name string = '${registryName}webhook' - -@description('Required. The service URI for the webhook to post notifications.') -param serviceUri string - -@allowed([ - 'disabled' - 'enabled' -]) -@description('Optional. The status of the webhook at the time the operation was called.') -param status string = 'enabled' - -@description('Optional. The list of actions that trigger the webhook to post notifications.') -param action array = [ - 'chart_delete' - 'chart_push' - 'delete' - 'push' - 'quarantine' -] - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Tags of the resource.') -param tags object = {} - -@description('Optional. Custom headers that will be added to the webhook notifications.') -param customHeaders object = {} - -@description('Optional. The scope of repositories where the event can be triggered. For example, \'foo:*\' means events for all tags under repository \'foo\'. \'foo:bar\' means events for \'foo:bar\' only. \'foo\' is equivalent to \'foo:latest\'. Empty means all events.') -param scope string = '' - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource registry 'Microsoft.ContainerRegistry/registries@2021-09-01' existing = { - name: registryName -} - -resource webhook 'Microsoft.ContainerRegistry/registries/webhooks@2021-12-01-preview' = { - name: name - parent: registry - location: location - tags: tags - properties: { - actions: action - customHeaders: customHeaders - scope: scope - serviceUri: serviceUri - status: status - } -} - -@description('The resource ID of the webhook.') -output resourceId string = webhook.id - -@description('The name of the webhook.') -output name string = webhook.name - -@description('The name of the Azure container registry.') -output resourceGroupName string = resourceGroup().name - -@description('The actions of the webhook.') -output actions array = webhook.properties.actions - -@description('The status of the webhook.') -output status string = webhook.properties.status - -@description('The provisioning state of the webhook.') -output provistioningState string = webhook.properties.provisioningState - -@description('The location the resource was deployed into.') -output location string = webhook.location diff --git a/arm/Microsoft.ContainerRegistry/registries/webhooks/readme.md b/arm/Microsoft.ContainerRegistry/registries/webhooks/readme.md deleted file mode 100644 index dc9f3279d6..0000000000 --- a/arm/Microsoft.ContainerRegistry/registries/webhooks/readme.md +++ /dev/null @@ -1,93 +0,0 @@ -# ContainerRegistry Registries Webhooks `[Microsoft.ContainerRegistry/registries/webhooks]` - -This module deploys ContainerRegistry Registries Webhooks. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.ContainerRegistry/registries/webhooks` | [2021-12-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/webhooks) | - -## Parameters - -**Required parameters** -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `serviceUri` | string | The service URI for the webhook to post notifications. | - -**Conditional parameters** -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `registryName` | string | The name of the parent registry. Required if the template is used in a standalone deployment. | - -**Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `action` | array | `[chart_delete, chart_push, delete, push, quarantine]` | | The list of actions that trigger the webhook to post notifications. | -| `customHeaders` | object | `{object}` | | Custom headers that will be added to the webhook notifications. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `name` | string | `[format('{0}webhook', parameters('registryName'))]` | | The name of the registry webhook. | -| `scope` | string | `''` | | The scope of repositories where the event can be triggered. For example, 'foo:*' means events for all tags under repository 'foo'. 'foo:bar' means events for 'foo:bar' only. 'foo' is equivalent to 'foo:latest'. Empty means all events. | -| `status` | string | `'enabled'` | `[disabled, enabled]` | The status of the webhook at the time the operation was called. | -| `tags` | object | `{object}` | | Tags of the resource. | - - -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -
- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `actions` | array | The actions of the webhook. | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the webhook. | -| `provistioningState` | string | The provisioning state of the webhook. | -| `resourceGroupName` | string | The name of the Azure container registry. | -| `resourceId` | string | The resource ID of the webhook. | -| `status` | string | The status of the webhook. | diff --git a/arm/Microsoft.ContainerRegistry/registries/webhooks/version.json b/arm/Microsoft.ContainerRegistry/registries/webhooks/version.json deleted file mode 100644 index 41f66cc990..0000000000 --- a/arm/Microsoft.ContainerRegistry/registries/webhooks/version.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.1" -} diff --git a/arm/Microsoft.ContainerService/managedClusters/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.ContainerService/managedClusters/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.ContainerService/managedClusters/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.ContainerService/managedClusters/.bicep/nested_rbac.bicep index f583ab3791..b5390bd866 100644 --- a/arm/Microsoft.ContainerService/managedClusters/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.ContainerService/managedClusters/.bicep/nested_rbac.bicep @@ -56,7 +56,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: managedCluster }] diff --git a/arm/Microsoft.ContainerService/managedClusters/.parameters/azure.parameters.json b/arm/Microsoft.ContainerService/managedClusters/.parameters/azure.parameters.json index b9406ba122..10a7e7af1c 100644 --- a/arm/Microsoft.ContainerService/managedClusters/.parameters/azure.parameters.json +++ b/arm/Microsoft.ContainerService/managedClusters/.parameters/azure.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-aks-azure-001" }, - "lock": { - "value": "CanNotDelete" - }, "primaryAgentPoolProfile": { "value": [ { diff --git a/arm/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep b/arm/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep index 383ad1234c..4680d788a6 100644 --- a/arm/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep +++ b/arm/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep @@ -203,7 +203,7 @@ resource agentPool 'Microsoft.ContainerService/managedClusters/agentPools@2021-0 enableFIPS: enableFIPS enableNodePublicIP: enableNodePublicIP enableUltraSSD: enableUltraSSD - gpuInstanceProfile: !empty(gpuInstanceProfile) ? any(gpuInstanceProfile) : null + gpuInstanceProfile: !empty(gpuInstanceProfile) ? gpuInstanceProfile : null kubeletDiskType: kubeletDiskType maxCount: maxCount != -1 ? maxCount : null maxPods: maxPods != -1 ? maxPods : null @@ -214,14 +214,14 @@ resource agentPool 'Microsoft.ContainerService/managedClusters/agentPools@2021-0 nodeTaints: nodeTaints orchestratorVersion: orchestratorVersion osDiskSizeGB: osDiskSizeGB != -1 ? osDiskSizeGB : null - osDiskType: !empty(osDiskType) ? any(osDiskType) : null - osSKU: !empty(osSku) ? any(osSku) : null + osDiskType: !empty(osDiskType) ? osDiskType : null + osSKU: !empty(osSku) ? osSku : null osType: osType podSubnetID: !empty(podSubnetId) ? podSubnetId : null proximityPlacementGroupID: !empty(proximityPlacementGroupId) ? proximityPlacementGroupId : null scaleDownMode: scaleDownMode scaleSetEvictionPolicy: scaleSetEvictionPolicy - scaleSetPriority: !empty(scaleSetPriority) ? any(scaleSetPriority) : null + scaleSetPriority: !empty(scaleSetPriority) ? scaleSetPriority : null spotMaxPrice: spotMaxPrice tags: tags type: type diff --git a/arm/Microsoft.ContainerService/managedClusters/deploy.bicep b/arm/Microsoft.ContainerService/managedClusters/deploy.bicep index 52ded3c4f5..a7a2e2476e 100644 --- a/arm/Microsoft.ContainerService/managedClusters/deploy.bicep +++ b/arm/Microsoft.ContainerService/managedClusters/deploy.bicep @@ -276,12 +276,12 @@ param enableDefaultTelemetry bool = true param roleAssignments array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -357,7 +357,7 @@ var lbProfile = { effectiveOutboundIPs: [] } -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -371,7 +371,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource managedCluster 'Microsoft.ContainerService/managedClusters@2022-03-02-preview' = { +resource managedCluster 'Microsoft.ContainerService/managedClusters@2022-02-01' = { name: name location: location tags: tags @@ -529,15 +529,15 @@ module managedCluster_agentPools 'agentPools/deploy.bicep' = [for (agentPool, in vmSize: contains(agentPool, 'vmSize') ? agentPool.vmSize : 'Standard_D2s_v3' vnetSubnetId: contains(agentPool, 'vnetSubnetId') ? agentPool.vnetSubnetId : '' workloadRuntime: contains(agentPool, 'workloadRuntime') ? agentPool.workloadRuntime : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource managedCluster_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource managedCluster_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${managedCluster.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: managedCluster } @@ -555,7 +555,7 @@ resource managedCluster_diagnosticSettings 'Microsoft.Insights/diagnosticsetting scope: managedCluster } -module managedCluster_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module managedCluster_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-ManagedCluster-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.ContainerService/managedClusters/readme.md b/arm/Microsoft.ContainerService/managedClusters/readme.md index bb7ba89d83..3c3a576878 100644 --- a/arm/Microsoft.ContainerService/managedClusters/readme.md +++ b/arm/Microsoft.ContainerService/managedClusters/readme.md @@ -15,7 +15,7 @@ This module deploys Azure Kubernetes Cluster (AKS). | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | -| `Microsoft.ContainerService/managedClusters` | [2022-03-02-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2022-03-02-preview/managedClusters) | +| `Microsoft.ContainerService/managedClusters` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2022-02-01/managedClusters) | | `Microsoft.ContainerService/managedClusters/agentPools` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2021-08-01/managedClusters/agentPools) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | @@ -100,7 +100,7 @@ This module deploys Azure Kubernetes Cluster (AKS). | `ingressApplicationGatewayEnabled` | bool | `False` | | Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. | | `kubeDashboardEnabled` | bool | `False` | | Specifies whether the kubeDashboard add-on is enabled or not. | | `location` | string | `[resourceGroup().location]` | | Specifies the location of AKS cluster. It picks up Resource Group's location by default. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `managedOutboundIPCount` | int | `0` | | Outbound IP Count for the Load balancer. | | `monitoringWorkspaceId` | string | `''` | | Resource ID of the monitoring log analytics workspace. | | `nodeResourceGroup` | string | `[format('{0}_aks_{1}_nodes', resourceGroup().name, parameters('name'))]` | | Name of the resource group containing agent pool nodes. | @@ -372,9 +372,6 @@ userAssignedIdentities: { "name": { "value": "<>-az-aks-azure-001" }, - "lock": { - "value": "CanNotDelete" - }, "primaryAgentPoolProfile": { "value": [ { @@ -499,7 +496,6 @@ module managedClusters './Microsoft.ContainerService/managedClusters/deploy.bice name: '${uniqueString(deployment().name)}-managedClusters' params: { name: '<>-az-aks-azure-001' - lock: 'CanNotDelete' primaryAgentPoolProfile: [ { name: 'systempool' diff --git a/arm/Microsoft.DataFactory/factories/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.DataFactory/factories/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.DataFactory/factories/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.DataFactory/factories/.bicep/nested_rbac.bicep index 9ec94ace90..ed0ad01de3 100644 --- a/arm/Microsoft.DataFactory/factories/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.DataFactory/factories/.bicep/nested_rbac.bicep @@ -48,7 +48,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: dataFactory }] diff --git a/arm/Microsoft.DataFactory/factories/.parameters/parameters.json b/arm/Microsoft.DataFactory/factories/.parameters/parameters.json index f686b88025..8b5e31f738 100644 --- a/arm/Microsoft.DataFactory/factories/.parameters/parameters.json +++ b/arm/Microsoft.DataFactory/factories/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-adf-001" }, - "lock": { - "value": "CanNotDelete" - }, "managedVirtualNetworkName": { "value": "default" }, diff --git a/arm/Microsoft.DataFactory/factories/deploy.bicep b/arm/Microsoft.DataFactory/factories/deploy.bicep index 7b740e8e3b..15043a78ca 100644 --- a/arm/Microsoft.DataFactory/factories/deploy.bicep +++ b/arm/Microsoft.DataFactory/factories/deploy.bicep @@ -52,12 +52,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -135,7 +135,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -165,7 +165,7 @@ module dataFactory_managedVirtualNetwork 'managedVirtualNetwork/deploy.bicep' = params: { name: managedVirtualNetworkName dataFactoryName: dataFactory.name - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -177,18 +177,18 @@ module dataFactory_integrationRuntime 'integrationRuntime/deploy.bicep' = if (!e type: integrationRuntime.type managedVirtualNetworkName: contains(integrationRuntime, 'managedVirtualNetworkName') ? integrationRuntime.managedVirtualNetworkName : '' typeProperties: integrationRuntime.typeProperties - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ dataFactory_managedVirtualNetwork ] } -resource dataFactory_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource dataFactory_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${dataFactory.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: dataFactory } @@ -206,7 +206,7 @@ resource dataFactory_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2 scope: dataFactory } -module dataFactory_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module dataFactory_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-DataFactory-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.DataFactory/factories/integrationRuntime/deploy.bicep b/arm/Microsoft.DataFactory/factories/integrationRuntime/deploy.bicep index 84a3029fc4..213e310864 100644 --- a/arm/Microsoft.DataFactory/factories/integrationRuntime/deploy.bicep +++ b/arm/Microsoft.DataFactory/factories/integrationRuntime/deploy.bicep @@ -45,7 +45,7 @@ resource integrationRuntime 'Microsoft.DataFactory/factories/integrationRuntimes name: name parent: dataFactory properties: { - type: any(type) + type: type managedVirtualNetwork: type == 'Managed' ? managedVirtualNetwork_var : null typeProperties: typeProperties } diff --git a/arm/Microsoft.DataFactory/factories/readme.md b/arm/Microsoft.DataFactory/factories/readme.md index a04429f76b..550b4b8317 100644 --- a/arm/Microsoft.DataFactory/factories/readme.md +++ b/arm/Microsoft.DataFactory/factories/readme.md @@ -46,7 +46,7 @@ | `gitRootFolder` | string | `'/'` | | The root folder path name. Default is '/'. | | `integrationRuntime` | _[integrationRuntime](integrationRuntime/readme.md)_ object | `{object}` | | The object for the configuration of a Integration Runtime. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `managedVirtualNetworkName` | string | `''` | | The name of the Managed Virtual Network. | | `publicNetworkAccess` | bool | `True` | | Enable or disable public network access. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -214,9 +214,6 @@ userAssignedIdentities: { "name": { "value": "<>-adf-001" }, - "lock": { - "value": "CanNotDelete" - }, "managedVirtualNetworkName": { "value": "default" }, @@ -287,7 +284,6 @@ module factories './Microsoft.DataFactory/factories/deploy.bicep' = { name: '${uniqueString(deployment().name)}-factories' params: { name: '<>-adf-001' - lock: 'CanNotDelete' managedVirtualNetworkName: 'default' integrationRuntime: { name: 'AutoResolveIntegrationRuntime' diff --git a/arm/Microsoft.DataProtection/backupVaults/.bicep/nested_rbac.bicep b/arm/Microsoft.DataProtection/backupVaults/.bicep/nested_rbac.bicep deleted file mode 100644 index 2f52129333..0000000000 --- a/arm/Microsoft.DataProtection/backupVaults/.bicep/nested_rbac.bicep +++ /dev/null @@ -1,43 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') -} - -resource bv 'Microsoft.DataProtection/backupVaults@2022-03-01' existing = { - name: last(split(resourceId, '/')) -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: { - name: guid(bv.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - } - scope: bv -}] diff --git a/arm/Microsoft.DataProtection/backupVaults/.parameters/min.parameters.json b/arm/Microsoft.DataProtection/backupVaults/.parameters/min.parameters.json deleted file mode 100644 index 6b44ecfa38..0000000000 --- a/arm/Microsoft.DataProtection/backupVaults/.parameters/min.parameters.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-bv-min-001" - } - } -} diff --git a/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json b/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json deleted file mode 100644 index bad76a8a40..0000000000 --- a/arm/Microsoft.DataProtection/backupVaults/.parameters/parameters.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-bv-x-001" - }, - "lock": { - "value": "CanNotDelete" - }, - "backupPolicies": { - "value": [ - { - "name": "DefaultPolicy", - "properties": { - "policyRules": [ - { - "backupParameters": { - "backupType": "Incremental", - "objectType": "AzureBackupParams" - }, - "trigger": { - "schedule": { - "repeatingTimeIntervals": [ - "R/2022-05-31T23:30:00+01:00/P1D" - ], - "timeZone": "W. Europe Standard Time" - }, - "taggingCriteria": [ - { - "tagInfo": { - "tagName": "Default", - "id": "Default_" - }, - "taggingPriority": 99, - "isDefault": true - } - ], - "objectType": "ScheduleBasedTriggerContext" - }, - "dataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "name": "BackupDaily", - "objectType": "AzureBackupRule" - }, - { - "lifecycles": [ - { - "deleteAfter": { - "objectType": "AbsoluteDeleteOption", - "duration": "P7D" - }, - "targetDataStoreCopySettings": [], - "sourceDataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - } - } - ], - "isDefault": true, - "name": "Default", - "objectType": "AzureRetentionRule" - } - ], - "datasourceTypes": [ - "Microsoft.Compute/disks" - ], - "objectType": "BackupPolicy" - } - } - ] - } - } -} diff --git a/arm/Microsoft.DataProtection/backupVaults/backupPolicies/deploy.bicep b/arm/Microsoft.DataProtection/backupVaults/backupPolicies/deploy.bicep deleted file mode 100644 index 7861a1f5e2..0000000000 --- a/arm/Microsoft.DataProtection/backupVaults/backupPolicies/deploy.bicep +++ /dev/null @@ -1,42 +0,0 @@ -@description('Required. The name of the backup vault.') -param backupVaultName string - -@description('Optional. The name of the backup policy.') -param name string = 'DefaultPolicy' - -@description('Optional. The properties of the backup policy.') -param properties object = {} - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource backupVault 'Microsoft.DataProtection/backupVaults@2022-03-01' existing = { - name: backupVaultName -} - -resource backupPolicy 'Microsoft.DataProtection/backupVaults/backupPolicies@2022-03-01' = { - name: name - parent: backupVault - properties: properties -} - -@description('The name of the backup policy.') -output name string = backupPolicy.name - -@description('The resource ID of the backup policy.') -output resourceId string = backupPolicy.id - -@description('The name of the resource group the backup policy was created in.') -output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.DataProtection/backupVaults/backupPolicies/readme.md b/arm/Microsoft.DataProtection/backupVaults/backupPolicies/readme.md deleted file mode 100644 index 27fb106813..0000000000 --- a/arm/Microsoft.DataProtection/backupVaults/backupPolicies/readme.md +++ /dev/null @@ -1,176 +0,0 @@ -# DataProtection BackupVaults BackupPolicies `[Microsoft.DataProtection/backupVaults/backupPolicies]` - -This module deploys DataProtection BackupVaults BackupPolicies. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DataProtection/backupVaults/backupPolicies` | [2022-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/2022-03-01/backupVaults/backupPolicies) | - -## Parameters - -**Required parameters** -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `backupVaultName` | string | The name of the backup vault. | - -**Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `name` | string | `'DefaultPolicy'` | The name of the backup policy. | -| `properties` | object | `{object}` | The properties of the backup policy. | - - -### Parameter Usage: `properties` - -Create a backup policy. - -

- -Parameter JSON format - -```json - "properties": { - "value": { - "policyRules": [ - { - "backupParameters": { - "backupType": "Incremental", - "objectType": "AzureBackupParams" - }, - "trigger": { - "schedule": { - "repeatingTimeIntervals": [ - "R/2022-05-31T23:30:00+01:00/P1D" - ], - "timeZone": "W. Europe Standard Time" - }, - "taggingCriteria": [ - { - "tagInfo": { - "tagName": "Default", - "id": "Default_" - }, - "taggingPriority": 99, - "isDefault": true - } - ], - "objectType": "ScheduleBasedTriggerContext" - }, - "dataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "name": "BackupDaily", - "objectType": "AzureBackupRule" - }, - { - "lifecycles": [ - { - "deleteAfter": { - "objectType": "AbsoluteDeleteOption", - "duration": "P7D" - }, - "targetDataStoreCopySettings": [], - "sourceDataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - } - } - ], - "isDefault": true, - "name": "Default", - "objectType": "AzureRetentionRule" - } - ], - "datasourceTypes": [ - "Microsoft.Compute/disks" - ], - "objectType": "BackupPolicy" - } -} -``` - -
- -
- -Bicep format - -```bicep -properties: { - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - trigger: { - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - tagInfo: { - tagName: 'Default' - id: 'Default_' - } - taggingPriority: 99 - isDefault: true - } - ] - objectType: 'ScheduleBasedTriggerContext' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - } - { - lifecycles: [ - { - deleteAfter: { - objectType: 'AbsoluteDeleteOption' - duration: 'P7D' - } - targetDataStoreCopySettings: [] - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - } - ] - isDefault: true - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' -} -``` - -
- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the backup policy. | -| `resourceGroupName` | string | The name of the resource group the backup policy was created in. | -| `resourceId` | string | The resource ID of the backup policy. | diff --git a/arm/Microsoft.DataProtection/backupVaults/backupPolicies/version.json b/arm/Microsoft.DataProtection/backupVaults/backupPolicies/version.json deleted file mode 100644 index bfb28197ff..0000000000 --- a/arm/Microsoft.DataProtection/backupVaults/backupPolicies/version.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "version": "0.4" -} diff --git a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep b/arm/Microsoft.DataProtection/backupVaults/deploy.bicep deleted file mode 100644 index 7018414b15..0000000000 --- a/arm/Microsoft.DataProtection/backupVaults/deploy.bicep +++ /dev/null @@ -1,127 +0,0 @@ -@description('Required. Name of the Backup Vault.') -param name string - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] - -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = '' - -@description('Optional. Enables system assigned managed identity on the resource.') -param systemAssignedIdentity bool = false - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} - -@description('Optional. Tags of the Recovery Service Vault resource.') -param tags object = {} - -@description('Optional. The datastore type to use.') -@allowed([ - 'ArchiveStore' - 'SnapshotStore' - 'VaultStore' -]) -param dataStoreType string = 'SnapshotStore' - -@description('Optional. The vault redundancy level to use.') -@allowed([ - 'LocallyRedundant' - 'GeoRedundant' -]) -param type string = 'LocallyRedundant' - -@description('Optional. List of all backup policies.') -param backupPolicies array = [] - -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') - -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} : null - -var enableReferencedModulesTelemetry = false - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource backupVault 'Microsoft.DataProtection/backupVaults@2022-03-01' = { - name: name - location: location - tags: tags - identity: any(identity) - properties: { - storageSettings: [ - { - type: type - datastoreType: dataStoreType - } - ] - } -} - -module backupVault_backupPolicies 'backupPolicies/deploy.bicep' = [for (backupPolicy, index) in backupPolicies: { - name: '${uniqueString(deployment().name, location)}-BV-BackupPolicy-${index}' - params: { - backupVaultName: backupVault.name - name: backupPolicy.name - properties: backupPolicy.properties - enableDefaultTelemetry: enableReferencedModulesTelemetry - } -}] - -resource backupVault_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${backupVault.name}-${lock}-lock' - properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: backupVault -} - -module backupVault_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-bv-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: backupVault.id - } -}] - -@description('The resource ID of the backup vault.') -output resourceId string = backupVault.id - -@description('The name of the resource group the recovery services vault was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The Name of the backup vault.') -output name string = backupVault.name - -@description('The principal ID of the system assigned identity.') -output systemAssignedPrincipalId string = systemAssignedIdentity && contains(backupVault.identity, 'principalId') ? backupVault.identity.principalId : '' - -@description('The location the resource was deployed into.') -output location string = backupVault.location diff --git a/arm/Microsoft.DataProtection/backupVaults/readme.md b/arm/Microsoft.DataProtection/backupVaults/readme.md deleted file mode 100644 index b83dc6ea84..0000000000 --- a/arm/Microsoft.DataProtection/backupVaults/readme.md +++ /dev/null @@ -1,535 +0,0 @@ -# DataProtection BackupVaults `[Microsoft.DataProtection/backupVaults]` - -This module deploys DataProtection BackupVaults. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Deployment examples](#Deployment-examples) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | -| `Microsoft.DataProtection/backupVaults` | [2022-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/2022-03-01/backupVaults) | -| `Microsoft.DataProtection/backupVaults/backupPolicies` | [2022-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.DataProtection/2022-03-01/backupVaults/backupPolicies) | - -## Parameters - -**Required parameters** -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | Name of the Backup Vault. | - -**Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `backupPolicies` | _[backupPolicies](backupPolicies/readme.md)_ array | `[]` | | List of all backup policies. | -| `dataStoreType` | string | `'SnapshotStore'` | `[ArchiveStore, SnapshotStore, VaultStore]` | The datastore type to use. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the Recovery Service Vault resource. | -| `type` | string | `'LocallyRedundant'` | `[LocallyRedundant, GeoRedundant]` | The vault redundancy level to use. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | - - -### Parameter Usage: `backupPolicies` - -Create backup policies in the backupvault. - -
- -Parameter JSON format -```json - "backupPolicies": { - "value": [ - { - "name": "DefaultPolicy", - "properties": { - "policyRules": [ - { - "backupParameters": { - "backupType": "Incremental", - "objectType": "AzureBackupParams" - }, - "trigger": { - "schedule": { - "repeatingTimeIntervals": [ - "R/2022-05-31T23:30:00+01:00/P1D" - ], - "timeZone": "W. Europe Standard Time" - }, - "taggingCriteria": [ - { - "tagInfo": { - "tagName": "Default", - "id": "Default_" - }, - "taggingPriority": 99, - "isDefault": true - } - ], - "objectType": "ScheduleBasedTriggerContext" - }, - "dataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "name": "BackupDaily", - "objectType": "AzureBackupRule" - }, - { - "lifecycles": [ - { - "deleteAfter": { - "objectType": "AbsoluteDeleteOption", - "duration": "P7D" - }, - "targetDataStoreCopySettings": [], - "sourceDataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - } - } - ], - "isDefault": true, - "name": "Default", - "objectType": "AzureRetentionRule" - } - ], - "datasourceTypes": [ - "Microsoft.Compute/disks" - ], - "objectType": "BackupPolicy" - } - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - trigger: { - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - tagInfo: { - tagName: 'Default' - id: 'Default_' - } - taggingPriority: 99 - isDefault: true - } - ] - objectType: 'ScheduleBasedTriggerContext' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - } - { - lifecycles: [ - { - deleteAfter: { - objectType: 'AbsoluteDeleteOption' - duration: 'P7D' - } - targetDataStoreCopySettings: [] - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - } - ] - isDefault: true - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - } - } -] -``` - -
- -### Parameter Usage: `roleAssignments` - -Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. - -
- -Parameter JSON format - -```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "description": "Reader Role Assignment", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ], - "principalType": "ServicePrincipal" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - description: 'Reader Role Assignment' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - '78945612-1234-1234-1234-123456789012' // object 2 - ] - } - { - roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - principalIds: [ - '12345678-1234-1234-1234-123456789012' // object 1 - ] - principalType: 'ServicePrincipal' - } -] -``` - -
-

- -### Parameter Usage: `tags` - -Tag names and tag values can be provided as needed. A tag can be left without a value. - -

- -Parameter JSON format - -```json -"tags": { - "value": { - "Environment": "Non-Prod", - "Contact": "test.user@testcompany.com", - "PurchaseOrder": "1234", - "CostCenter": "7890", - "ServiceName": "DeploymentValidation", - "Role": "DeploymentValidation" - } -} -``` - -
- -
- -Bicep format - -```bicep -tags: { - Environment: 'Non-Prod' - Contact: 'test.user@testcompany.com' - PurchaseOrder: '1234' - CostCenter: '7890' - ServiceName: 'DeploymentValidation' - Role: 'DeploymentValidation' -} -``` - -
-

- -### Parameter Usage: `userAssignedIdentities` - -You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: - -

- -Parameter JSON format - -```json -"userAssignedIdentities": { - "value": { - "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, - "/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} - } -} -``` - -
- -
- -Bicep format - -```bicep -userAssignedIdentities: { - '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} - '/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} -} -``` - -
-

- -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The Name of the backup vault. | -| `resourceGroupName` | string | The name of the resource group the recovery services vault was created in. | -| `resourceId` | string | The resource ID of the backup vault. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | - -## Deployment examples - -

Example 1

- -
- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-bv-min-001" - } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -module backupVaults './Microsoft.DataProtection/backupVaults/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-backupVaults' - params: { - name: '<>-az-bv-min-001' - } -``` - -
-

- -

Example 2

- -
- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-bv-x-001" - }, - "lock": { - "value": "CanNotDelete" - }, - "backupPolicies": { - "value": [ - { - "name": "DefaultPolicy", - "properties": { - "policyRules": [ - { - "backupParameters": { - "backupType": "Incremental", - "objectType": "AzureBackupParams" - }, - "trigger": { - "schedule": { - "repeatingTimeIntervals": [ - "R/2022-05-31T23:30:00+01:00/P1D" - ], - "timeZone": "W. Europe Standard Time" - }, - "taggingCriteria": [ - { - "tagInfo": { - "tagName": "Default", - "id": "Default_" - }, - "taggingPriority": 99, - "isDefault": true - } - ], - "objectType": "ScheduleBasedTriggerContext" - }, - "dataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - }, - "name": "BackupDaily", - "objectType": "AzureBackupRule" - }, - { - "lifecycles": [ - { - "deleteAfter": { - "objectType": "AbsoluteDeleteOption", - "duration": "P7D" - }, - "targetDataStoreCopySettings": [], - "sourceDataStore": { - "dataStoreType": "OperationalStore", - "objectType": "DataStoreInfoBase" - } - } - ], - "isDefault": true, - "name": "Default", - "objectType": "AzureRetentionRule" - } - ], - "datasourceTypes": [ - "Microsoft.Compute/disks" - ], - "objectType": "BackupPolicy" - } - } - ] - } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -module backupVaults './Microsoft.DataProtection/backupVaults/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-backupVaults' - params: { - name: '<>-az-bv-x-001' - lock: 'CanNotDelete' - backupPolicies: [ - { - name: 'DefaultPolicy' - properties: { - policyRules: [ - { - backupParameters: { - backupType: 'Incremental' - objectType: 'AzureBackupParams' - } - trigger: { - schedule: { - repeatingTimeIntervals: [ - 'R/2022-05-31T23:30:00+01:00/P1D' - ] - timeZone: 'W. Europe Standard Time' - } - taggingCriteria: [ - { - tagInfo: { - tagName: 'Default' - id: 'Default_' - } - taggingPriority: 99 - isDefault: true - } - ] - objectType: 'ScheduleBasedTriggerContext' - } - dataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - name: 'BackupDaily' - objectType: 'AzureBackupRule' - } - { - lifecycles: [ - { - deleteAfter: { - objectType: 'AbsoluteDeleteOption' - duration: 'P7D' - } - targetDataStoreCopySettings: [] - sourceDataStore: { - dataStoreType: 'OperationalStore' - objectType: 'DataStoreInfoBase' - } - } - ] - isDefault: true - name: 'Default' - objectType: 'AzureRetentionRule' - } - ] - datasourceTypes: [ - 'Microsoft.Compute/disks' - ] - objectType: 'BackupPolicy' - } - } - ] - } -``` - -
-

diff --git a/arm/Microsoft.DataProtection/backupVaults/version.json b/arm/Microsoft.DataProtection/backupVaults/version.json deleted file mode 100644 index bfb28197ff..0000000000 --- a/arm/Microsoft.DataProtection/backupVaults/version.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "version": "0.4" -} diff --git a/arm/Microsoft.Databricks/workspaces/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Databricks/workspaces/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Databricks/workspaces/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Databricks/workspaces/.bicep/nested_rbac.bicep index 1f7cd94516..dbc4b2dc64 100644 --- a/arm/Microsoft.Databricks/workspaces/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Databricks/workspaces/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: workspace }] diff --git a/arm/Microsoft.Databricks/workspaces/.parameters/parameters.json b/arm/Microsoft.Databricks/workspaces/.parameters/parameters.json index dc327499f5..7d3ba311ec 100644 --- a/arm/Microsoft.Databricks/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.Databricks/workspaces/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-adb-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Databricks/workspaces/deploy.bicep b/arm/Microsoft.Databricks/workspaces/deploy.bicep index bd531ac2b2..6a9addb035 100644 --- a/arm/Microsoft.Databricks/workspaces/deploy.bicep +++ b/arm/Microsoft.Databricks/workspaces/deploy.bicep @@ -39,12 +39,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -118,11 +118,11 @@ resource workspace 'Microsoft.Databricks/workspaces@2018-04-01' = { } } -resource workspace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource workspace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${workspace.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: workspace } @@ -140,7 +140,7 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 scope: workspace } -module workspace_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module workspace_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-DataBricks-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Databricks/workspaces/readme.md b/arm/Microsoft.Databricks/workspaces/readme.md index 86926ed7c0..b8fa3709f9 100644 --- a/arm/Microsoft.Databricks/workspaces/readme.md +++ b/arm/Microsoft.Databricks/workspaces/readme.md @@ -35,7 +35,7 @@ | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `managedResourceGroupId` | string | `''` | | The managed resource group ID. | | `pricingTier` | string | `'premium'` | `[trial, standard, premium]` | The pricing tier of workspace. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -233,9 +233,6 @@ tags: { "name": { "value": "<>-az-adb-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -277,7 +274,6 @@ module workspaces './Microsoft.Databricks/workspaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-workspaces' params: { name: '<>-az-adb-x-001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep index 0af2eb4e13..899fd65e14 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep @@ -55,7 +55,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: appGroup }] diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/.parameters/parameters.json b/arm/Microsoft.DesktopVirtualization/applicationgroups/.parameters/parameters.json index 7e71ce4904..2b43fed106 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/.parameters/parameters.json +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-avdag-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "location": { "value": "westeurope" }, diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep index 8a1cb90b38..c9db7baa9c 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep @@ -42,12 +42,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @sys.description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @sys.description('Optional. Tags of the resource.') param tags object = {} @@ -82,7 +82,7 @@ var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { } }] -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -112,11 +112,11 @@ resource appGroup 'Microsoft.DesktopVirtualization/applicationgroups@2021-07-12' } } -resource appGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource appGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${appGroup.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: appGroup } @@ -146,11 +146,11 @@ module appGroup_applications 'applications/deploy.bicep' = [for (application, in showInPortal: contains(application, 'showInPortal') ? application.showInPortal : false iconPath: contains(application, 'iconPath') ? application.iconPath : application.filePath iconIndex: contains(application, 'iconIndex') ? application.iconIndex : 0 - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -module appGroup_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module appGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AppGroup-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md b/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md index f241f5f1ae..142a7ed371 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md @@ -43,7 +43,7 @@ This module deploys an Azure virtual desktop application group. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `friendlyName` | string | `''` | | The friendly name of the Application Group to be created. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -217,9 +217,6 @@ module applicationgroups './Microsoft.DesktopVirtualization/applicationgroups/de "name": { "value": "<>-az-avdag-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "location": { "value": "westeurope" }, @@ -296,7 +293,6 @@ module applicationgroups './Microsoft.DesktopVirtualization/applicationgroups/de name: '${uniqueString(deployment().name)}-applicationgroups' params: { name: '<>-az-avdag-x-001' - lock: 'CanNotDelete' location: 'westeurope' applicationGroupType: 'RemoteApp' hostpoolName: 'adp-<>-az-avdhp-x-001' diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep index 4add31f03d..664054c57e 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep @@ -56,7 +56,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: hostPool }] diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/.parameters/parameters.json b/arm/Microsoft.DesktopVirtualization/hostpools/.parameters/parameters.json index 076213824f..ba8ef0e1f9 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/.parameters/parameters.json +++ b/arm/Microsoft.DesktopVirtualization/hostpools/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-avdhp-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "location": { "value": "westeurope" }, @@ -51,6 +48,9 @@ } } }, + "validationEnviroment": { + "value": false + }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep index 37e98eb3e0..ab23fb2f06 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep @@ -40,8 +40,8 @@ param maxSessionLimit int = 99999 @description('Optional. Host Pool RDP properties.') param customRdpProperty string = 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' -@description('Optional. Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation \'ring\' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment.') -param validationEnvironment bool = false +@description('Optional. Whether to use validation enviroment. When set to true, the Host Pool will be deployed in a validation \'ring\' (environment) that receives all the new features (might be less stable). Ddefaults to false that stands for the stable, production-ready environment.') +param validationEnviroment bool = false @description('Optional. The necessary information for adding more VMs to this Host Pool.') param vmTemplate object = {} @@ -70,12 +70,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -94,6 +94,9 @@ param preferredAppGroupType string = 'Desktop' @description('Optional. Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs.') param startVMOnConnect bool = false +@description('Optional. Validation host pool allows you to test service changes before they are deployed to production.') +param validationEnvironment bool = false + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -154,6 +157,7 @@ resource hostPool 'Microsoft.DesktopVirtualization/hostpools@2021-07-12' = { preferredAppGroupType: preferredAppGroupType maxSessionLimit: maxSessionLimit loadBalancerType: loadBalancerType + validationEnviroment: validationEnviroment startVMOnConnect: startVMOnConnect validationEnvironment: validationEnvironment registrationInfo: { @@ -165,11 +169,11 @@ resource hostPool 'Microsoft.DesktopVirtualization/hostpools@2021-07-12' = { } } -resource hostPool_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource hostPool_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${hostPool.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: hostPool } @@ -186,7 +190,7 @@ resource hostPool_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021 scope: hostPool } -module hostPool_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module hostPool_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-HostPool-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/readme.md b/arm/Microsoft.DesktopVirtualization/hostpools/readme.md index 0f3f4473db..42473951ee 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/readme.md +++ b/arm/Microsoft.DesktopVirtualization/hostpools/readme.md @@ -42,7 +42,7 @@ This module deploys an Azure virtual desktop host pool. | `hostpoolType` | string | `'Pooled'` | `[Personal, Pooled]` | Set this parameter to Personal if you would like to enable Persistent Desktop experience. Defaults to Pooled. | | `loadBalancerType` | string | `'BreadthFirst'` | `[BreadthFirst, DepthFirst, Persistent]` | Type of load balancer algorithm. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maxSessionLimit` | int | `99999` | | Maximum number of sessions. | | `personalDesktopAssignmentType` | string | `''` | `[Automatic, Direct, ]` | Set the type of assignment for a Personal Host Pool type. | | `preferredAppGroupType` | string | `'Desktop'` | `[Desktop, None, RailApplications]` | The type of preferred application group type, default to Desktop Application Group. | @@ -50,7 +50,8 @@ This module deploys an Azure virtual desktop host pool. | `startVMOnConnect` | bool | `False` | | Enable Start VM on connect to allow users to start the virtual machine from a deallocated state. Important: Custom RBAC role required to power manage VMs. | | `tags` | object | `{object}` | | Tags of the resource. | | `tokenValidityLength` | string | `'PT8H'` | | Host Pool token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the token will be valid for 8 hours. | -| `validationEnvironment` | bool | `False` | | Validation host pools allows you to test service changes before they are deployed to production. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Defaults to false that stands for the stable, production-ready environment. | +| `validationEnviroment` | bool | `False` | | Whether to use validation enviroment. When set to true, the Host Pool will be deployed in a validation 'ring' (environment) that receives all the new features (might be less stable). Ddefaults to false that stands for the stable, production-ready environment. | +| `validationEnvironment` | bool | `False` | | Validation host pool allows you to test service changes before they are deployed to production. | | `vmTemplate` | object | `{object}` | | The necessary information for adding more VMs to this Host Pool. | **Generated parameters** @@ -269,9 +270,6 @@ tags: { "name": { "value": "<>-az-avdhp-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "location": { "value": "westeurope" }, @@ -315,6 +313,9 @@ tags: { } } }, + "validationEnviroment": { + "value": false + }, "roleAssignments": { "value": [ { @@ -356,7 +357,6 @@ module hostpools './Microsoft.DesktopVirtualization/hostpools/deploy.bicep' = { name: '${uniqueString(deployment().name)}-hostpools' params: { name: '<>-az-avdhp-x-001' - lock: 'CanNotDelete' location: 'westeurope' hostpoolFriendlyName: 'AVDv2' hostpoolDescription: 'My first AVD Host Pool' @@ -382,6 +382,7 @@ module hostpools './Microsoft.DesktopVirtualization/hostpools/deploy.bicep' = { ram: 8 } } + validationEnviroment: false roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.DesktopVirtualization/scalingplans/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.DesktopVirtualization/scalingplans/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.DesktopVirtualization/scalingplans/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.DesktopVirtualization/scalingplans/.bicep/nested_rbac.bicep index 4add31f03d..664054c57e 100644 --- a/arm/Microsoft.DesktopVirtualization/scalingplans/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.DesktopVirtualization/scalingplans/.bicep/nested_rbac.bicep @@ -56,7 +56,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: hostPool }] diff --git a/arm/Microsoft.DesktopVirtualization/scalingplans/deploy.bicep b/arm/Microsoft.DesktopVirtualization/scalingplans/deploy.bicep index e3cd280024..ff6481d64d 100644 --- a/arm/Microsoft.DesktopVirtualization/scalingplans/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/scalingplans/deploy.bicep @@ -135,7 +135,7 @@ resource scalingplan_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2 scope: scalingPlan } -module scalingplan_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module scalingplan_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Workspace-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep index 4aa5b62342..b44a965305 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep @@ -52,7 +52,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: workspace }] diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/.parameters/parameters.json b/arm/Microsoft.DesktopVirtualization/workspaces/.parameters/parameters.json index 5ffb007078..7220e4d78e 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.DesktopVirtualization/workspaces/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-avdws-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "location": { "value": "westeurope" }, diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep index 2036ead3ea..1c5be804e2 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep @@ -4,7 +4,7 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Required. Resource IDs for the existing Application groups this workspace will group together.') +@description('Required. Resource IDs fo the existing Application groups this workspace will group together.') param appGroupResourceIds array = [] @description('Optional. The friendly name of the Workspace to be created.') @@ -31,12 +31,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -96,11 +96,11 @@ resource workspace 'Microsoft.DesktopVirtualization/workspaces@2021-07-12' = { } } -resource workspace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource workspace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${workspace.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: workspace } @@ -117,7 +117,7 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 scope: workspace } -module workspace_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module workspace_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Workspace-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/readme.md b/arm/Microsoft.DesktopVirtualization/workspaces/readme.md index 6b111be13b..fd3fe6a532 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/readme.md +++ b/arm/Microsoft.DesktopVirtualization/workspaces/readme.md @@ -23,7 +23,7 @@ This module deploys an Azure virtual desktop workspace. **Required parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `appGroupResourceIds` | array | Resource IDs for the existing Application groups this workspace will group together. | +| `appGroupResourceIds` | array | Resource IDs fo the existing Application groups this workspace will group together. | | `name` | string | The name of the workspace to be attach to new Application Group. | **Optional parameters** @@ -38,7 +38,7 @@ This module deploys an Azure virtual desktop workspace. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | | `workspaceDescription` | string | `''` | | The description of the Workspace to be created. | @@ -170,9 +170,6 @@ tags: { "name": { "value": "<>-az-avdws-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "location": { "value": "westeurope" }, @@ -228,7 +225,6 @@ module workspaces './Microsoft.DesktopVirtualization/workspaces/deploy.bicep' = name: '${uniqueString(deployment().name)}-workspaces' params: { name: '<>-az-avdws-x-001' - lock: 'CanNotDelete' location: 'westeurope' appGroupResourceIds: [ '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.DesktopVirtualization/applicationgroups/adp-<>-az-avdag-x-001' diff --git a/arm/Microsoft.DocumentDB/databaseAccounts/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.DocumentDB/databaseAccounts/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.DocumentDB/databaseAccounts/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.DocumentDB/databaseAccounts/.bicep/nested_rbac.bicep index 0b05979bde..a56558e8ff 100644 --- a/arm/Microsoft.DocumentDB/databaseAccounts/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.DocumentDB/databaseAccounts/.bicep/nested_rbac.bicep @@ -51,7 +51,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: databaseAccount }] diff --git a/arm/Microsoft.DocumentDB/databaseAccounts/.parameters/plain.parameters.json b/arm/Microsoft.DocumentDB/databaseAccounts/.parameters/plain.parameters.json index 564968cf20..70fbc40cc8 100644 --- a/arm/Microsoft.DocumentDB/databaseAccounts/.parameters/plain.parameters.json +++ b/arm/Microsoft.DocumentDB/databaseAccounts/.parameters/plain.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-cdb-plain-001" }, - "lock": { - "value": "CanNotDelete" - }, "locations": { "value": [ { diff --git a/arm/Microsoft.DocumentDB/databaseAccounts/deploy.bicep b/arm/Microsoft.DocumentDB/databaseAccounts/deploy.bicep index 1f603356aa..d4040cb764 100644 --- a/arm/Microsoft.DocumentDB/databaseAccounts/deploy.bicep +++ b/arm/Microsoft.DocumentDB/databaseAccounts/deploy.bicep @@ -63,12 +63,12 @@ param mongodbDatabases array = [] param enableDefaultTelemetry bool = true @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -179,7 +179,7 @@ var databaseAccount_locations = [for location in locations: { var kind = !empty(sqlDatabases) ? 'GlobalDocumentDB' : (!empty(mongodbDatabases) ? 'MongoDB' : 'Parse') -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false var databaseAccount_properties = !empty(sqlDatabases) ? { consistencyPolicy: consistencyPolicy[defaultConsistencyLevel] @@ -218,11 +218,11 @@ resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2021-06-15' = { properties: databaseAccount_properties } -resource databaseAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource databaseAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${databaseAccount.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: databaseAccount } @@ -240,7 +240,7 @@ resource databaseAccount_diagnosticSettings 'Microsoft.Insights/diagnosticsettin scope: databaseAccount } -module databaseAccount_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module databaseAccount_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -257,7 +257,7 @@ module sqlDatabases_resource 'sqlDatabases/deploy.bicep' = [for sqlDatabase in s databaseAccountName: databaseAccount.name name: sqlDatabase.name containers: contains(sqlDatabase, 'containers') ? sqlDatabase.containers : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -267,7 +267,7 @@ module mongodbDatabases_resource 'mongodbDatabases/deploy.bicep' = [for mongodbD databaseAccountName: databaseAccount.name name: mongodbDatabase.name collections: contains(mongodbDatabase, 'collections') ? mongodbDatabase.collections : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/deploy.bicep b/arm/Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/deploy.bicep index 7ec003f4fd..72319c9d02 100644 --- a/arm/Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/deploy.bicep +++ b/arm/Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/deploy.bicep @@ -16,7 +16,7 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -56,7 +56,7 @@ module mongodbDatabase_collections 'collections/deploy.bicep' = [for collection name: collection.name indexes: collection.indexes shardKey: collection.shardKey - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.DocumentDB/databaseAccounts/readme.md b/arm/Microsoft.DocumentDB/databaseAccounts/readme.md index 9fa1394988..6893dd3e97 100644 --- a/arm/Microsoft.DocumentDB/databaseAccounts/readme.md +++ b/arm/Microsoft.DocumentDB/databaseAccounts/readme.md @@ -46,7 +46,7 @@ This module deploys a DocumentDB database account and its child resources. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maxIntervalInSeconds` | int | `300` | | Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400. | | `maxStalenessPrefix` | int | `100000` | | Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 1000000. Multi Region: 100000 to 1000000. | | `mongodbDatabases` | _[mongodbDatabases](mongodbDatabases/readme.md)_ array | `[]` | | MongoDB Databases configurations. | @@ -948,9 +948,6 @@ module databaseAccounts './Microsoft.DocumentDB/databaseAccounts/deploy.bicep' = "name": { "value": "<>-az-cdb-plain-001" }, - "lock": { - "value": "CanNotDelete" - }, "locations": { "value": [ { @@ -1006,7 +1003,6 @@ module databaseAccounts './Microsoft.DocumentDB/databaseAccounts/deploy.bicep' = name: '${uniqueString(deployment().name)}-databaseAccounts' params: { name: '<>-az-cdb-plain-001' - lock: 'CanNotDelete' locations: [ { locationName: 'West Europe' diff --git a/arm/Microsoft.DocumentDB/databaseAccounts/sqlDatabases/deploy.bicep b/arm/Microsoft.DocumentDB/databaseAccounts/sqlDatabases/deploy.bicep index 23a662b0ae..cbaa9cdcce 100644 --- a/arm/Microsoft.DocumentDB/databaseAccounts/sqlDatabases/deploy.bicep +++ b/arm/Microsoft.DocumentDB/databaseAccounts/sqlDatabases/deploy.bicep @@ -16,7 +16,7 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -56,7 +56,7 @@ module container 'containers/deploy.bicep' = [for container in containers: { name: container.name paths: container.paths kind: container.kind - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..82ab478cd6 --- /dev/null +++ b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,52 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint_var.name}/default' + properties: { + privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { + name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) + properties: { + privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] + } + }] + } + dependsOn: [ + privateEndpoint + ] +} diff --git a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.EventGrid/systemTopics/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep index bba6460f24..f61c5f2189 100644 --- a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: systemTopic }] diff --git a/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json b/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json index 5a415c770e..46728a6924 100644 --- a/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json +++ b/arm/Microsoft.EventGrid/systemTopics/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-egstn-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "source": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" }, diff --git a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep index 4814c0b7f8..11edd194de 100644 --- a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep @@ -27,16 +27,19 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' +@description('Optional. Configuration Details for private endpoints.') +param privateEndpoints array = [] + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -118,11 +121,11 @@ resource systemTopic 'Microsoft.EventGrid/systemTopics@2021-12-01' = { } } -resource systemTopic_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource systemTopic_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${systemTopic.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: systemTopic } @@ -140,7 +143,17 @@ resource systemTopic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2 scope: systemTopic } -module systemTopic_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module systemTopic_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { + name: '${uniqueString(deployment().name, location)}-EventGrid-PrivateEndpoint-${index}' + params: { + privateEndpointResourceId: systemTopic.id + privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpointObj: privateEndpoint + tags: tags + } +}] + +module systemTopic_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-EventGrid-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.EventGrid/systemTopics/readme.md b/arm/Microsoft.EventGrid/systemTopics/readme.md index 79f1621cf0..d6736c286d 100644 --- a/arm/Microsoft.EventGrid/systemTopics/readme.md +++ b/arm/Microsoft.EventGrid/systemTopics/readme.md @@ -17,6 +17,8 @@ This module deploys an Event Grid System Topic. | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.EventGrid/systemTopics` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2021-12-01/systemTopics) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | +| `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -40,7 +42,8 @@ This module deploys an Event Grid System Topic. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | +| `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -327,9 +330,6 @@ module systemTopics './Microsoft.EventGrid/systemTopics/deploy.bicep' = { "name": { "value": "<>-az-egstn-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "source": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" }, @@ -377,7 +377,6 @@ module systemTopics './Microsoft.EventGrid/systemTopics/deploy.bicep' = { name: '${uniqueString(deployment().name)}-systemTopics' params: { name: '<>-az-egstn-x-001' - lock: 'CanNotDelete' source: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' topicType: 'Microsoft.Storage.StorageAccounts' roleAssignments: [ diff --git a/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..82ab478cd6 --- /dev/null +++ b/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,52 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint_var.name}/default' + properties: { + privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { + name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) + properties: { + privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] + } + }] + } + dependsOn: [ + privateEndpoint + ] +} diff --git a/arm/Microsoft.EventGrid/topics/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.EventGrid/topics/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.EventGrid/topics/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.EventGrid/topics/.bicep/nested_rbac.bicep index 44af3022cf..7a2fca7579 100644 --- a/arm/Microsoft.EventGrid/topics/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.EventGrid/topics/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: eventGrid }] diff --git a/arm/Microsoft.EventGrid/topics/.parameters/parameters.json b/arm/Microsoft.EventGrid/topics/.parameters/parameters.json index 5976a4588b..2d0de99e4e 100644 --- a/arm/Microsoft.EventGrid/topics/.parameters/parameters.json +++ b/arm/Microsoft.EventGrid/topics/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-egtn-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.EventGrid/topics/deploy.bicep b/arm/Microsoft.EventGrid/topics/deploy.bicep index 58f651c84f..cdb809bb81 100644 --- a/arm/Microsoft.EventGrid/topics/deploy.bicep +++ b/arm/Microsoft.EventGrid/topics/deploy.bicep @@ -34,12 +34,12 @@ param privateEndpoints array = [] param roleAssignments array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -68,8 +68,6 @@ param diagnosticMetricsToEnable array = [ @description('Optional. The name of the diagnostic setting, if deployed.') param diagnosticSettingsName string = '${name}-diagnosticSettings' -var enableReferencedModulesTelemetry = false - var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { category: category enabled: true @@ -101,7 +99,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource topic 'Microsoft.EventGrid/topics@2020-06-01' = { +resource eventGrid 'Microsoft.EventGrid/topics@2020-06-01' = { name: name location: location tags: tags @@ -111,16 +109,16 @@ resource topic 'Microsoft.EventGrid/topics@2020-06-01' = { } } -resource topic_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { - name: '${topic.name}-${lock}-lock' +resource eventGrid_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${eventGrid.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } - scope: topic + scope: eventGrid } -resource topic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { +resource eventGrid_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { name: diagnosticSettingsName properties: { storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null @@ -130,48 +128,38 @@ resource topic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05 metrics: diagnosticsMetrics logs: diagnosticsLogs } - scope: topic + scope: eventGrid } -module topic_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Topic-PrivateEndpoint-${index}' +module eventGrid_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { + name: '${uniqueString(deployment().name, location)}-EventGrid-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(topic.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: topic.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: eventGrid.id + privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpointObj: privateEndpoint + tags: tags } }] -module topic_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-topic-Rbac-${index}' +module eventGrid_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name, location)}-EventGrid-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' principalIds: roleAssignment.principalIds principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: topic.id + resourceId: eventGrid.id } }] @description('The name of the event grid topic.') -output name string = topic.name +output name string = eventGrid.name @description('The resource ID of the event grid.') -output resourceId string = topic.id +output resourceId string = eventGrid.id @description('The name of the resource group the event grid was deployed into.') output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') -output location string = topic.location +output location string = eventGrid.location diff --git a/arm/Microsoft.EventGrid/topics/readme.md b/arm/Microsoft.EventGrid/topics/readme.md index 668bf55da7..1ed608bee1 100644 --- a/arm/Microsoft.EventGrid/topics/readme.md +++ b/arm/Microsoft.EventGrid/topics/readme.md @@ -18,7 +18,7 @@ This module deploys an event grid topic. | `Microsoft.EventGrid/topics` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2020-06-01/topics) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -41,7 +41,7 @@ This module deploys an event grid topic. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `inboundIpRules` | array | `[]` | | Array of IPs to whitelist. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. Event Grid topics should use private endpoints. | | `publicNetworkAccess` | string | `'Enabled'` | | Determines if traffic is allowed over public network. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -250,9 +250,6 @@ tags: { "name": { "value": "<>-az-egtn-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -302,7 +299,6 @@ module topics './Microsoft.EventGrid/topics/deploy.bicep' = { name: '${uniqueString(deployment().name)}-topics' params: { name: '<>-az-egtn-x-001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..ac35d182f8 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,52 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) + customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (!empty(privateEndpointObj.customDnsConfigs) ? privateEndpointObj.customDnsConfigs : null) : null +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint_var.name}/default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } + dependsOn: [ + privateEndpoint + ] +} diff --git a/arm/Microsoft.EventHub/namespaces/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.EventHub/namespaces/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep index 9fa7d807dd..e574141c4e 100644 --- a/arm/Microsoft.EventHub/namespaces/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep @@ -52,7 +52,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: eventHubNamespace }] diff --git a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json index 38aff7a42e..33cf7d93bf 100644 --- a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-evnsp-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "authorizationRules": { "value": [ { @@ -90,14 +87,6 @@ } ] }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "namespace" - } - ] - }, "diagnosticLogsRetentionInDays": { "value": 7 }, diff --git a/arm/Microsoft.EventHub/namespaces/deploy.bicep b/arm/Microsoft.EventHub/namespaces/deploy.bicep index 657ea68a8b..e8f9737cc0 100644 --- a/arm/Microsoft.EventHub/namespaces/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/deploy.bicep @@ -64,12 +64,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -157,7 +157,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -188,11 +188,11 @@ resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' = { } } -resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource eventHubNamespace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${eventHubNamespace.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: eventHubNamespace } @@ -235,12 +235,12 @@ module eventHubNamespace_eventHubs 'eventhubs/deploy.bicep' = [for (eventHub, in captureDescriptionSizeLimitInBytes: contains(eventHub, 'captureDescriptionSizeLimitInBytes') ? eventHub.captureDescriptionSizeLimitInBytes : 314572800 captureDescriptionSkipEmptyArchives: contains(eventHub, 'captureDescriptionSkipEmptyArchives') ? eventHub.captureDescriptionSkipEmptyArchives : false consumerGroups: contains(eventHub, 'consumerGroups') ? eventHub.consumerGroups : [] - lock: contains(eventHub, 'lock') ? eventHub.lock : '' + lock: contains(eventHub, 'lock') ? eventHub.lock : 'NotSpecified' messageRetentionInDays: contains(eventHub, 'messageRetentionInDays') ? eventHub.messageRetentionInDays : 1 partitionCount: contains(eventHub, 'partitionCount') ? eventHub.partitionCount : 2 roleAssignments: contains(eventHub, 'roleAssignments') ? eventHub.roleAssignments : [] status: contains(eventHub, 'status') ? eventHub.status : 'Active' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -250,7 +250,7 @@ module eventHubNamespace_diasterRecoveryConfig 'disasterRecoveryConfigs/deploy.b namespaceName: eventHubNamespace.name name: disasterRecoveryConfig.name partnerNamespaceId: contains(disasterRecoveryConfig, 'partnerNamespaceId') ? disasterRecoveryConfig.partnerNamespaceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -260,7 +260,7 @@ module eventHubNamespace_authorizationRules 'authorizationRules/deploy.bicep' = namespaceName: eventHubNamespace.name name: authorizationRule.name rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -273,31 +273,21 @@ module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!em trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } -module eventHubNamespace_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module eventHubNamespace_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-EvhbNamespace-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(eventHubNamespace.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: eventHubNamespace.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: eventHubNamespace.id + privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpointObj: endpoint + tags: tags } }] -module eventHubNamespace_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module eventHubNamespace_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-EvhbNamespace-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep index fd0146583f..1bfa9a5eaa 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: eventHub }] diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep index fe11d46e7f..1fd8958db7 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep @@ -48,12 +48,12 @@ param consumerGroups array = [ ] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -96,7 +96,7 @@ param captureDescriptionSkipEmptyArchives bool = false @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false var eventHubPropertiesSimple = { messageRetentionInDays: messageRetentionInDays @@ -146,10 +146,10 @@ resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-11-01' = { properties: captureDescriptionEnabled ? eventHubPropertiesWithCapture : eventHubPropertiesSimple } -resource eventHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource eventHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${eventHub.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: eventHub @@ -162,7 +162,7 @@ module eventHub_consumergroups 'consumergroups/deploy.bicep' = [for (consumerGro eventHubName: eventHub.name name: consumerGroup.name userMetadata: contains(consumerGroup, 'userMetadata') ? consumerGroup.userMetadata : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -173,11 +173,11 @@ module eventHub_authorizationRules 'authorizationRules/deploy.bicep' = [for (aut eventHubName: eventHub.name name: authorizationRule.name rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -module eventHub_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module eventHub_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md b/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md index 6ebdbd432c..c37b5d1d90 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md @@ -45,7 +45,7 @@ This module deploys an Event Hub. | `captureDescriptionSkipEmptyArchives` | bool | `False` | | A value that indicates whether to Skip Empty Archives. | | `consumerGroups` | _[consumerGroups](consumerGroups/readme.md)_ array | `[System.Collections.Hashtable]` | | The consumer groups to create in this event hub instance. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `messageRetentionInDays` | int | `1` | | Number of days to retain the events for this Event Hub, value should be 1 to 7 days. | | `partitionCount` | int | `2` | | Number of partitions created for the Event Hub, allowed values are from 1 to 32 partitions. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | diff --git a/arm/Microsoft.EventHub/namespaces/readme.md b/arm/Microsoft.EventHub/namespaces/readme.md index bd85b46992..0c74bd249c 100644 --- a/arm/Microsoft.EventHub/namespaces/readme.md +++ b/arm/Microsoft.EventHub/namespaces/readme.md @@ -45,7 +45,7 @@ This module deploys an event hub namespace. | `eventHubs` | _[eventHubs](eventHubs/readme.md)_ array | `[]` | | The event hubs to deploy into this namespace. | | `isAutoInflateEnabled` | bool | `False` | | Switch to enable the Auto Inflate feature of Event Hub. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maximumThroughputUnits` | int | `1` | | Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | | `name` | string | `''` | | The name of the event hub namespace. If no name is provided, then unique name will be created. | | `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | @@ -327,9 +327,6 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { "name": { "value": "<>-az-evnsp-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "authorizationRules": { "value": [ { @@ -412,14 +409,6 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { } ] }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "namespace" - } - ] - }, "diagnosticLogsRetentionInDays": { "value": 7 }, @@ -479,7 +468,6 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { name: '<>-az-evnsp-x-001' - lock: 'CanNotDelete' authorizationRules: [ { name: 'RootManageSharedAccessKey' @@ -556,12 +544,6 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { ] } ] - privateEndpoints: [ - { - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' - service: 'namespace' - } - ] diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diff --git a/arm/Microsoft.HealthBot/healthBots/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.HealthBot/healthBots/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.HealthBot/healthBots/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.HealthBot/healthBots/.bicep/nested_rbac.bicep index 7895eb9e5a..a66e04d08a 100644 --- a/arm/Microsoft.HealthBot/healthBots/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.HealthBot/healthBots/.bicep/nested_rbac.bicep @@ -47,7 +47,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: healthBot }] diff --git a/arm/Microsoft.HealthBot/healthBots/.parameters/parameters.json b/arm/Microsoft.HealthBot/healthBots/.parameters/parameters.json index fef2b742de..76b924cc36 100644 --- a/arm/Microsoft.HealthBot/healthBots/.parameters/parameters.json +++ b/arm/Microsoft.HealthBot/healthBots/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-ahb-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.HealthBot/healthBots/deploy.bicep b/arm/Microsoft.HealthBot/healthBots/deploy.bicep index e8eb13754d..d2fa21acc8 100644 --- a/arm/Microsoft.HealthBot/healthBots/deploy.bicep +++ b/arm/Microsoft.HealthBot/healthBots/deploy.bicep @@ -8,12 +8,12 @@ param sku string = 'F0' param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -46,16 +46,16 @@ resource azureHealthBot 'Microsoft.HealthBot/healthBots@2020-12-08' = { properties: {} } -resource azureHealthBot_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource azureHealthBot_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${azureHealthBot.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: azureHealthBot } -module healthBot_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module healthBot_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-HealthBot-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.HealthBot/healthBots/readme.md b/arm/Microsoft.HealthBot/healthBots/readme.md index 3c761eba4c..eec445bb09 100644 --- a/arm/Microsoft.HealthBot/healthBots/readme.md +++ b/arm/Microsoft.HealthBot/healthBots/readme.md @@ -29,7 +29,7 @@ This module deploys an Azure Health Bot. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `sku` | string | `'F0'` | | The resource model definition representing SKU. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -160,9 +160,6 @@ roleAssignments: [ "name": { "value": "<>-az-ahb-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -189,7 +186,6 @@ module healthBots './Microsoft.HealthBot/healthBots/deploy.bicep' = { name: '${uniqueString(deployment().name)}-healthBots' params: { name: '<>-az-ahb-x-001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.Insights/actionGroups/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Insights/actionGroups/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep index 476058f9a4..33e8342aac 100644 --- a/arm/Microsoft.Insights/actionGroups/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep @@ -48,7 +48,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: actionGroup }] diff --git a/arm/Microsoft.Insights/actionGroups/deploy.bicep b/arm/Microsoft.Insights/actionGroups/deploy.bicep index 8f369c1ff4..ff7a611104 100644 --- a/arm/Microsoft.Insights/actionGroups/deploy.bicep +++ b/arm/Microsoft.Insights/actionGroups/deploy.bicep @@ -81,7 +81,7 @@ resource actionGroup 'microsoft.insights/actionGroups@2019-06-01' = { } } -module actionGroup_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module actionGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-ActionGroup-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep index 5694033cdc..8cf1887bc2 100644 --- a/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep @@ -48,7 +48,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: activityLogAlert }] diff --git a/arm/Microsoft.Insights/activityLogAlerts/deploy.bicep b/arm/Microsoft.Insights/activityLogAlerts/deploy.bicep index 4453cb6395..b37cdfa502 100644 --- a/arm/Microsoft.Insights/activityLogAlerts/deploy.bicep +++ b/arm/Microsoft.Insights/activityLogAlerts/deploy.bicep @@ -64,7 +64,7 @@ resource activityLogAlert 'Microsoft.Insights/activityLogAlerts@2020-10-01' = { } } -module activityLogAlert_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module activityLogAlert_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-ActivityLogAlert-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Insights/components/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Insights/components/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep index b95fcf74f1..56f90810c7 100644 --- a/arm/Microsoft.Insights/components/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep @@ -51,7 +51,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: appInsights }] diff --git a/arm/Microsoft.Insights/components/deploy.bicep b/arm/Microsoft.Insights/components/deploy.bicep index df25c2a77a..2b1451f710 100644 --- a/arm/Microsoft.Insights/components/deploy.bicep +++ b/arm/Microsoft.Insights/components/deploy.bicep @@ -86,7 +86,7 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = { } } -module appInsights_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module appInsights_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AppInsights-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Insights/metricAlerts/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Insights/metricAlerts/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep index ec5e914fc0..28d0f8d386 100644 --- a/arm/Microsoft.Insights/metricAlerts/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep @@ -51,7 +51,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: metricAlert }] diff --git a/arm/Microsoft.Insights/metricAlerts/deploy.bicep b/arm/Microsoft.Insights/metricAlerts/deploy.bicep index 2fbc4fdc0d..926b7e2bb3 100644 --- a/arm/Microsoft.Insights/metricAlerts/deploy.bicep +++ b/arm/Microsoft.Insights/metricAlerts/deploy.bicep @@ -111,7 +111,7 @@ resource metricAlert 'Microsoft.Insights/metricAlerts@2018-03-01' = { targetResourceType: targetResourceType targetResourceRegion: targetResourceRegion criteria: { - 'odata.type': any(alertCriteriaType) + 'odata.type': alertCriteriaType allOf: criterias } autoMitigate: autoMitigate @@ -119,7 +119,7 @@ resource metricAlert 'Microsoft.Insights/metricAlerts@2018-03-01' = { } } -module metricAlert_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module metricAlert_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-MetricAlert-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..5672ec5ea7 --- /dev/null +++ b/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,49 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? ((empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds)) : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } + + resource privateDnsZoneGroups 'privateDnsZoneGroups@2021-05-01' = { + name: 'default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } + } +} diff --git a/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_rbac.bicep index 71c903ae40..c0a3553406 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_rbac.bicep @@ -47,7 +47,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: privateLinkScope }] diff --git a/arm/Microsoft.Insights/privateLinkScopes/.parameters/parameters.json b/arm/Microsoft.Insights/privateLinkScopes/.parameters/parameters.json index 8bfe5c1638..26b7103029 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/.parameters/parameters.json +++ b/arm/Microsoft.Insights/privateLinkScopes/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-pls-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "scopedResources": { "value": [ { @@ -25,14 +22,6 @@ ] } ] - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "azuremonitor" - } - ] } } } diff --git a/arm/Microsoft.Insights/privateLinkScopes/deploy.bicep b/arm/Microsoft.Insights/privateLinkScopes/deploy.bicep index 18a8c7696d..ca2e65c199 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/deploy.bicep +++ b/arm/Microsoft.Insights/privateLinkScopes/deploy.bicep @@ -6,12 +6,12 @@ param name string param location string = 'global' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -28,7 +28,7 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -55,40 +55,30 @@ module privateLinkScope_scopedResource 'scopedResources/deploy.bicep' = [for (sc name: scopedResource.name privateLinkScopeName: privateLinkScope.name linkedResourceId: scopedResource.linkedResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource privateLinkScope_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource privateLinkScope_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${privateLinkScope.name}-${lock}-lock' + scope: privateLinkScope properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } - scope: privateLinkScope } -module privateLinkScope_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module privateLinkScope_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-PvtLinkScope-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(privateLinkScope.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: privateLinkScope.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: privateLinkScope.id + privateEndpointVnetLocation: reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + privateEndpointObj: endpoint + tags: tags } }] -module privateLinkScope_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module privateLinkScope_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-PvtLinkScope-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Insights/privateLinkScopes/readme.md b/arm/Microsoft.Insights/privateLinkScopes/readme.md index 3add81522d..3ed13fa91a 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/readme.md +++ b/arm/Microsoft.Insights/privateLinkScopes/readme.md @@ -32,7 +32,7 @@ This module deploys an Azure Monitor Private Link Scope. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `'global'` | | The location of the private link scope. Should be global. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `scopedResources` | _[scopedResources](scopedResources/readme.md)_ array | `[]` | | Configuration Details for Azure Monitor Resources. | @@ -241,9 +241,6 @@ tags: { "name": { "value": "<>-az-pls-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "scopedResources": { "value": [ { @@ -261,14 +258,6 @@ tags: { ] } ] - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "azuremonitor" - } - ] } } } @@ -286,7 +275,6 @@ module privateLinkScopes './Microsoft.Insights/privateLinkScopes/deploy.bicep' = name: '${uniqueString(deployment().name)}-privateLinkScopes' params: { name: '<>-az-pls-x-001' - lock: 'CanNotDelete' scopedResources: [ { name: 'scoped1' @@ -301,12 +289,6 @@ module privateLinkScopes './Microsoft.Insights/privateLinkScopes/deploy.bicep' = ] } ] - privateEndpoints: [ - { - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' - service: 'azuremonitor' - } - ] } ``` diff --git a/arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_rbac.bicep index 3c37c05305..e753febd26 100644 --- a/arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Insights/scheduledQueryRules/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: queryAlert }] diff --git a/arm/Microsoft.Insights/scheduledQueryRules/deploy.bicep b/arm/Microsoft.Insights/scheduledQueryRules/deploy.bicep index d59d88817a..56c1f8bad0 100644 --- a/arm/Microsoft.Insights/scheduledQueryRules/deploy.bicep +++ b/arm/Microsoft.Insights/scheduledQueryRules/deploy.bicep @@ -105,7 +105,7 @@ resource queryRule 'Microsoft.Insights/scheduledQueryRules@2021-02-01-preview' = } } -module queryRule_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module queryRule_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-QueryRule-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..0e3f625a39 --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,49 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint.name}/default' + properties: { + privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { + name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) + properties: { + privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] + } + }] + } +} diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.KeyVault/vaults/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep index b03611076e..10e2e1e5f1 100644 --- a/arm/Microsoft.KeyVault/vaults/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep @@ -56,7 +56,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: keyVault }] diff --git a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json index d015736c8f..bf3331329e 100644 --- a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json @@ -3,10 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-kv-x-002" - }, - "lock": { - "value": "CanNotDelete" + "value": "<>-az-kv-x-001" }, "softDeleteRetentionInDays": { "value": 7 diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep index b0314495cb..f556ce9891 100644 --- a/arm/Microsoft.KeyVault/vaults/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -89,12 +89,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -175,7 +175,7 @@ var formattedAccessPolicies = [for accessPolicy in accessPolicies: { var secretList = !empty(secrets) ? secrets.secureList : [] -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false // =========== // // Deployments // @@ -216,10 +216,10 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { } } -resource keyVault_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource keyVault_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${keyVault.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: keyVault @@ -243,7 +243,7 @@ module keyVault_accessPolicies 'accessPolicies/deploy.bicep' = if (!empty(access params: { keyVaultName: keyVault.name accessPolicies: formattedAccessPolicies - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -259,7 +259,7 @@ module keyVault_secrets 'secrets/deploy.bicep' = [for (secret, index) in secretL contentType: contains(secret, 'contentType') ? secret.contentType : '' tags: contains(secret, 'tags') ? secret.tags : {} roleAssignments: contains(secret, 'roleAssignments') ? secret.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -277,31 +277,21 @@ module keyVault_keys 'keys/deploy.bicep' = [for (key, index) in keys: { kty: contains(key, 'kty') ? key.kty : 'EC' tags: contains(key, 'tags') ? key.tags : {} roleAssignments: contains(key, 'roleAssignments') ? key.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -module keyVault_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module keyVault_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-KeyVault-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(keyVault.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: keyVault.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: keyVault.id + privateEndpointVnetLocation: empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + privateEndpointObj: privateEndpoint + tags: tags } }] -module keyVault_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module keyVault_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-KeyVault-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.KeyVault/vaults/keys/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.KeyVault/vaults/keys/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.KeyVault/vaults/keys/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.KeyVault/vaults/keys/.bicep/nested_rbac.bicep index 7eafd1c2d8..f22e710d43 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.KeyVault/vaults/keys/.bicep/nested_rbac.bicep @@ -55,7 +55,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: key }] diff --git a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep index 60432671eb..de0962508b 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep @@ -88,7 +88,7 @@ resource key 'Microsoft.KeyVault/vaults/keys@2019-09-01' = { } } -module key_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module key_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index 955029e75b..159f859edd 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -21,7 +21,7 @@ This module deploys a key vault and its child resources. | `Microsoft.KeyVault/vaults/keys` | [2019-09-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/keys) | | `Microsoft.KeyVault/vaults/secrets` | [2019-09-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/secrets) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -47,7 +47,7 @@ This module deploys a key vault and its child resources. | `enableVaultForTemplateDeployment` | bool | `True` | `[True, False]` | Specifies if the vault is enabled for a template deployment. | | `keys` | _[keys](keys/readme.md)_ array | `[]` | | All keys to create. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `name` | string | `''` | | Name of the Key Vault. If no name is provided, then unique name will be created. | | `networkAcls` | object | `{object}` | | Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | @@ -424,10 +424,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-kv-x-002" - }, - "lock": { - "value": "CanNotDelete" + "value": "<>-az-kv-x-001" }, "softDeleteRetentionInDays": { "value": 7 @@ -565,8 +562,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { name: '${uniqueString(deployment().name)}-vaults' params: { - name: '<>-az-kv-x-002' - lock: 'CanNotDelete' + name: '<>-az-kv-x-001' softDeleteRetentionInDays: 7 enableRbacAuthorization: false privateEndpoints: [ diff --git a/arm/Microsoft.KeyVault/vaults/secrets/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.KeyVault/vaults/secrets/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.KeyVault/vaults/secrets/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.KeyVault/vaults/secrets/.bicep/nested_rbac.bicep index d80da03d4d..559ffa6eed 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.KeyVault/vaults/secrets/.bicep/nested_rbac.bicep @@ -54,7 +54,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: secret }] diff --git a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep index ceb2663d0b..1918cd7bc5 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep @@ -61,7 +61,7 @@ resource secret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = { } } -module secret_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module secret_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Logic/workflows/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Logic/workflows/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep index 9427c50737..05fa2cdbc8 100644 --- a/arm/Microsoft.Logic/workflows/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: logicApp }] diff --git a/arm/Microsoft.Logic/workflows/.parameters/parameters.json b/arm/Microsoft.Logic/workflows/.parameters/parameters.json index 6436e5c1b7..7ead1ba4ba 100644 --- a/arm/Microsoft.Logic/workflows/.parameters/parameters.json +++ b/arm/Microsoft.Logic/workflows/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-lga-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "tags": { "value": {} }, diff --git a/arm/Microsoft.Logic/workflows/deploy.bicep b/arm/Microsoft.Logic/workflows/deploy.bicep index 98cfe8608c..6a2743b7a0 100644 --- a/arm/Microsoft.Logic/workflows/deploy.bicep +++ b/arm/Microsoft.Logic/workflows/deploy.bicep @@ -49,16 +49,19 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] +@description('Optional. Sku of Logic App. Only to be set when integrating with ISE.') +param sku object = {} + @description('Optional. The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended.') @allowed([ 'NotSpecified' @@ -165,6 +168,7 @@ resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = { workflow: workflowEndpointsConfiguration connector: connectorEndpointsConfiguration } + sku: !empty(sku) ? sku : null accessControl: { triggers: !empty(triggersAccessControlConfiguration) ? triggersAccessControlConfiguration : null contents: !empty(contentsAccessControlConfiguration) ? contentsAccessControlConfiguration : null @@ -186,11 +190,11 @@ resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = { } } -resource logicApp_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource logicApp_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${logicApp.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: logicApp } @@ -208,7 +212,7 @@ resource logicApp_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021 scope: logicApp } -module logicApp_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module logicApp_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-LogicApp-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Logic/workflows/readme.md b/arm/Microsoft.Logic/workflows/readme.md index a2ecc2e625..1eb67cd6f5 100644 --- a/arm/Microsoft.Logic/workflows/readme.md +++ b/arm/Microsoft.Logic/workflows/readme.md @@ -44,8 +44,9 @@ This module deploys a Logic App resource. | `integrationAccount` | object | `{object}` | | The integration account. | | `integrationServiceEnvironment` | object | `{object}` | | The integration service environment. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `sku` | object | `{object}` | | Sku of Logic App. Only to be set when integrating with ISE. | | `state` | string | `'Enabled'` | `[NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended]` | The state. - NotSpecified, Completed, Enabled, Disabled, Deleted, Suspended. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -327,9 +328,6 @@ userAssignedIdentities: { "name": { "value": "<>-az-lga-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "tags": { "value": {} }, @@ -412,7 +410,6 @@ module workflows './Microsoft.Logic/workflows/deploy.bicep' = { name: '${uniqueString(deployment().name)}-workflows' params: { name: '<>-az-lga-x-001' - lock: 'CanNotDelete' tags: {} workflowActions: { HTTP: { diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..82ab478cd6 --- /dev/null +++ b/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,52 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint_var.name}/default' + properties: { + privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { + name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) + properties: { + privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] + } + }] + } + dependsOn: [ + privateEndpoint + ] +} diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_rbac.bicep index 1bd860393a..bf634eb1b6 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_rbac.bicep @@ -48,7 +48,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: workspace }] diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index d8058a2616..c6ecc0756d 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-mls-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "sku": { "value": "Basic" }, diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 3541bb651a..b627b8f31b 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -26,13 +26,13 @@ param associatedApplicationInsightsResourceId string @sys.description('Optional. The resource ID of the associated Container Registry.') param associatedContainerRegistryResourceId string = '' -@sys.allowed([ - '' +@allowed([ 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @sys.description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @sys.description('Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service.') param hbiWorkspace bool = false @@ -138,8 +138,6 @@ param publicNetworkAccess string = 'Disabled' // ================// // Variables // // ================// -var enableReferencedModulesTelemetry = false - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -235,11 +233,11 @@ module workspace_computes 'computes/deploy.bicep' = [for compute in computes: { } }] -resource workspace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource workspace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${workspace.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: workspace } @@ -257,27 +255,17 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 scope: workspace } -module workspace_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Workspace-PrivateEndpoint-${index}' +module workspace_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-MLWorkspace-PrivateEndpoints-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(workspace.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: workspace.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: workspace.id + privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpointObj: privateEndpoint + tags: tags } }] -module workspace_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module workspace_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-MLWorkspace-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index 188a3df2aa..1aedc9c456 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -19,7 +19,7 @@ This module deploys a Machine Learning Services Workspace. | `Microsoft.MachineLearningServices/workspaces` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2021-07-01/workspaces) | | `Microsoft.MachineLearningServices/workspaces/computes` | [2022-01-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2022-01-01-preview/workspaces/computes) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -62,7 +62,7 @@ This module deploys a Machine Learning Services Workspace. | `hbiWorkspace` | bool | `False` | | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | | `imageBuildCompute` | string | `''` | | The compute name for image build. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether requests from Public Network are allowed. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -467,9 +467,6 @@ module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep' "name": { "value": "<>-az-mls-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "sku": { "value": "Basic" }, @@ -593,7 +590,6 @@ module workspaces './Microsoft.MachineLearningServices/workspaces/deploy.bicep' name: '${uniqueString(deployment().name)}-workspaces' params: { name: '<>-az-mls-x-001' - lock: 'CanNotDelete' sku: 'Basic' associatedStorageAccountResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' associatedKeyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep index 85fdd4d9ab..9bd59c7a31 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: userMsi }] diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.parameters/parameters.json b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.parameters/parameters.json index d76c001bb1..141d57730e 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.parameters/parameters.json +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-msi-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep index 78d3ee9855..e60c093e4a 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep @@ -5,12 +5,12 @@ param name string = guid(resourceGroup().id) param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -39,16 +39,16 @@ resource userMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = tags: tags } -resource userMsi_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource userMsi_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${userMsi.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: userMsi } -module userMsi_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module userMsi_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-UserMSI-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md index 519353d644..caf36b4a9b 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md @@ -24,7 +24,7 @@ This module deploys a user assigned identity. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `name` | string | `[guid(resourceGroup().id)]` | | Name of the User Assigned Identity. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -156,9 +156,6 @@ tags: { "name": { "value": "<>-az-msi-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -185,7 +182,6 @@ module userAssignedIdentities './Microsoft.ManagedIdentity/userAssignedIdentitie name: '${uniqueString(deployment().name)}-userAssignedIdentities' params: { name: '<>-az-msi-x-001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md b/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md index f630ecb481..b01c422bf3 100644 --- a/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md +++ b/arm/Microsoft.ManagedServices/registrationDefinitions/readme.md @@ -1,6 +1,6 @@ # Registration Definitions `[Microsoft.ManagedServices/registrationDefinitions]` -This module deploys `registrationDefinitions` and `registrationAssignments` (often referred to as 'Lighthouse' or 'resource delegation') +This module deploys `registrationDefinitions` and `registrationAssignments` (often refered to as 'Lighthouse' or 'resource delegation') on subscription or resource group scopes. This type of delegation is very similar to role assignments but here the principal that is assigned a role is in a remote/managing Azure Active Directory tenant. The templates are run towards the tenant where the Azure resources you want to delegate access to are, providing 'authorizations' (aka. access delegation) to principals in a diff --git a/arm/Microsoft.Management/managementGroups/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Management/managementGroups/.bicep/nested_rbac.bicep similarity index 99% rename from arm/Microsoft.Management/managementGroups/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Management/managementGroups/.bicep/nested_rbac.bicep index 67d8295aac..e3e8cce4fa 100644 --- a/arm/Microsoft.Management/managementGroups/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Management/managementGroups/.bicep/nested_rbac.bicep @@ -313,6 +313,6 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } }] diff --git a/arm/Microsoft.Management/managementGroups/deploy.bicep b/arm/Microsoft.Management/managementGroups/deploy.bicep index 5f8475dfb4..bef5e6561f 100644 --- a/arm/Microsoft.Management/managementGroups/deploy.bicep +++ b/arm/Microsoft.Management/managementGroups/deploy.bicep @@ -44,7 +44,7 @@ resource managementGroup 'Microsoft.Management/managementGroups@2021-04-01' = { } } -module managementGroup_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module managementGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-ManagementGroup-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep index 20782d86b7..f6a21aceee 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep @@ -47,7 +47,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: netAppAccount }] diff --git a/arm/Microsoft.NetApp/netAppAccounts/.parameters/nfs3.parameters.json b/arm/Microsoft.NetApp/netAppAccounts/.parameters/nfs3.parameters.json index 8718b5fdab..1e5a91b39d 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.parameters/nfs3.parameters.json +++ b/arm/Microsoft.NetApp/netAppAccounts/.parameters/nfs3.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-anf-nfs3-001" }, - "lock": { - "value": "CanNotDelete" - }, "capacityPools": { "value": [ { diff --git a/arm/Microsoft.NetApp/netAppAccounts/capacityPools/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.NetApp/netAppAccounts/capacityPools/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.NetApp/netAppAccounts/capacityPools/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.NetApp/netAppAccounts/capacityPools/.bicep/nested_rbac.bicep index 9ef2d1f9f0..4d985f72a2 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/capacityPools/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/capacityPools/.bicep/nested_rbac.bicep @@ -47,7 +47,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: capacityPool }] diff --git a/arm/Microsoft.NetApp/netAppAccounts/capacityPools/deploy.bicep b/arm/Microsoft.NetApp/netAppAccounts/capacityPools/deploy.bicep index 0115c75289..529388c313 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/capacityPools/deploy.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/capacityPools/deploy.bicep @@ -41,7 +41,7 @@ param roleAssignments array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -87,11 +87,11 @@ module capacityPool_volumes 'volumes/deploy.bicep' = [for (volume, index) in vol subnetResourceId: volume.subnetResourceId exportPolicyRules: contains(volume, 'exportPolicyRules') ? volume.exportPolicyRules : [] roleAssignments: contains(volume, 'roleAssignments') ? volume.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -module capacityPool_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module capacityPool_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/.bicep/nested_rbac.bicep index fc4003f377..33ca0669c1 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/.bicep/nested_rbac.bicep @@ -47,7 +47,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: volume }] diff --git a/arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/deploy.bicep b/arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/deploy.bicep index 8c4a6eae33..efc2a05185 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/deploy.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/capacityPools/volumes/deploy.bicep @@ -76,7 +76,7 @@ resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2021-06-0 } } -module volume_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module volume_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.NetApp/netAppAccounts/deploy.bicep b/arm/Microsoft.NetApp/netAppAccounts/deploy.bicep index 0a30cf3c68..76f5353940 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/deploy.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/deploy.bicep @@ -30,12 +30,12 @@ param roleAssignments array = [] param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags for all resources.') param tags object = {} @@ -43,7 +43,7 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false var activeDirectoryConnectionProperties = [ { @@ -77,16 +77,16 @@ resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2021-04-01' = { } } -resource netAppAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource netAppAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${netAppAccount.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: netAppAccount } -module netAppAccount_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module netAppAccount_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-ANFAccount-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -109,7 +109,7 @@ module netAppAccount_capacityPools 'capacityPools/deploy.bicep' = [for (capacity volumes: contains(capacityPool, 'volumes') ? capacityPool.volumes : [] coolAccess: contains(capacityPool, 'coolAccess') ? capacityPool.coolAccess : false roleAssignments: contains(capacityPool, 'roleAssignments') ? capacityPool.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.NetApp/netAppAccounts/readme.md b/arm/Microsoft.NetApp/netAppAccounts/readme.md index 7e92376887..e6c0c88d03 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/readme.md +++ b/arm/Microsoft.NetApp/netAppAccounts/readme.md @@ -37,7 +37,7 @@ This template deploys Azure NetApp Files. | `domainName` | string | `''` | | Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `smbServerNamePrefix` | string | `''` | | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. | | `tags` | object | `{object}` | | Tags for all resources. | @@ -204,9 +204,6 @@ module netAppAccounts './Microsoft.NetApp/netAppAccounts/deploy.bicep' = { "name": { "value": "<>-az-anf-nfs3-001" }, - "lock": { - "value": "CanNotDelete" - }, "capacityPools": { "value": [ { @@ -310,7 +307,6 @@ module netAppAccounts './Microsoft.NetApp/netAppAccounts/deploy.bicep' = { name: '${uniqueString(deployment().name)}-netAppAccounts' params: { name: '<>-az-anf-nfs3-001' - lock: 'CanNotDelete' capacityPools: [ { name: '<>-az-anfcp-x-001' diff --git a/arm/Microsoft.Network/applicationGateways/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/applicationGateways/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep index 2b47534cd3..c5994b6368 100644 --- a/arm/Microsoft.Network/applicationGateways/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep @@ -55,7 +55,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: applicationGateway }] diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index f0a3b3a148..e0a8603a84 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-apgw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} @@ -333,7 +330,7 @@ { "name": "<>-az-apgw-x-001-ssl-certificate", "properties": { - "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate" + "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate02/40b9b1a7a69e48cfa1e36f24b97b8799" } } ] diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index feaa45454f..f5bbb4e76c 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -236,12 +236,12 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { }] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -320,10 +320,10 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = zones: zones } -resource applicationGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource applicationGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${applicationGateway.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: applicationGateway @@ -342,7 +342,7 @@ resource applicationGateway_diagnosticSettingName 'Microsoft.Insights/diagnostic scope: applicationGateway } -module applicationGateway_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module applicationGateway_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AppGateway-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/applicationGateways/readme.md b/arm/Microsoft.Network/applicationGateways/readme.md index fd3b987439..4659236112 100644 --- a/arm/Microsoft.Network/applicationGateways/readme.md +++ b/arm/Microsoft.Network/applicationGateways/readme.md @@ -55,7 +55,7 @@ This module deploys Network ApplicationGateways. | `httpListeners` | array | `[]` | | Http listeners of the application gateway resource. | | `loadDistributionPolicies` | array | `[]` | | Load distribution policies of the application gateway resource. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateLinkConfigurations` | array | `[]` | | PrivateLink configurations on application gateway. | | `probes` | array | `[]` | | Probes of the application gateway resource. | | `redirectConfigurations` | array | `[]` | | Redirect configurations of the application gateway resource. | @@ -236,9 +236,6 @@ userAssignedIdentities: { "name": { "value": "<>-az-apgw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} @@ -564,7 +561,7 @@ userAssignedIdentities: { { "name": "<>-az-apgw-x-001-ssl-certificate", "properties": { - "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate" + "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate02/40b9b1a7a69e48cfa1e36f24b97b8799" } } ] @@ -610,7 +607,6 @@ module applicationGateways './Microsoft.Network/applicationGateways/deploy.bicep name: '${uniqueString(deployment().name)}-applicationGateways' params: { name: '<>-az-apgw-x-001' - lock: 'CanNotDelete' userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} } @@ -909,7 +905,7 @@ module applicationGateways './Microsoft.Network/applicationGateways/deploy.bicep { name: '<>-az-apgw-x-001-ssl-certificate' properties: { - keyVaultSecretId: 'https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate' + keyVaultSecretId: 'https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate02/40b9b1a7a69e48cfa1e36f24b97b8799' } } ] diff --git a/arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_rbac.bicep index 3d8f643e52..ab1bb1293d 100644 --- a/arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/applicationSecurityGroups/.bicep/nested_rbac.bicep @@ -54,7 +54,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: applicationSecurityGroup }] diff --git a/arm/Microsoft.Network/applicationSecurityGroups/.parameters/parameters.json b/arm/Microsoft.Network/applicationSecurityGroups/.parameters/parameters.json index 8bfef178fc..f740e20b42 100644 --- a/arm/Microsoft.Network/applicationSecurityGroups/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationSecurityGroups/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-asg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Network/applicationSecurityGroups/deploy.bicep b/arm/Microsoft.Network/applicationSecurityGroups/deploy.bicep index 9c7a9f103a..844e47bb2f 100644 --- a/arm/Microsoft.Network/applicationSecurityGroups/deploy.bicep +++ b/arm/Microsoft.Network/applicationSecurityGroups/deploy.bicep @@ -5,12 +5,12 @@ param name string param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -40,16 +40,16 @@ resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2 properties: {} } -resource applicationSecurityGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource applicationSecurityGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${applicationSecurityGroup.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: applicationSecurityGroup } -module applicationSecurityGroup_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module applicationSecurityGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AppSecurityGroup-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/applicationSecurityGroups/readme.md b/arm/Microsoft.Network/applicationSecurityGroups/readme.md index fb0b37c7e4..607c3f0b12 100644 --- a/arm/Microsoft.Network/applicationSecurityGroups/readme.md +++ b/arm/Microsoft.Network/applicationSecurityGroups/readme.md @@ -29,7 +29,7 @@ This module deploys an application security group. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -159,9 +159,6 @@ roleAssignments: [ "name": { "value": "<>-az-asg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -188,7 +185,6 @@ module applicationSecurityGroups './Microsoft.Network/applicationSecurityGroups/ name: '${uniqueString(deployment().name)}-applicationSecurityGroups' params: { name: '<>-az-asg-x-001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress.bicep index c72c028552..ff4716af59 100644 --- a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress.bicep +++ b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress.bicep @@ -38,12 +38,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Location for all resources.') param location string = resourceGroup().location @@ -118,10 +118,10 @@ resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' = { zones: length(zones) == 0 ? null : zones } -resource publicIpAddress_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource publicIpAddress_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${publicIpAddress.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: publicIpAddress diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress_rbac.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress_rbac.bicep index afb6225762..87e8e8d346 100644 --- a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress_rbac.bicep +++ b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_publicIPAddress_rbac.bicep @@ -49,13 +49,13 @@ resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' existi name: last(split(resourceId, '/')) } -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: { +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for principalId in principalIds: { name: guid(publicIpAddress.name, principalId, roleDefinitionIdOrName) properties: { description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: publicIpAddress }] diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/azureFirewalls/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep index faa2d91941..8f0046e183 100644 --- a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep @@ -54,7 +54,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: azureFirewall }] diff --git a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json index 6f0a85edea..8987b8a8ef 100644 --- a/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json +++ b/arm/Microsoft.Network/azureFirewalls/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-fw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "zones": { "value": [ "1", diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index c05cbc0a2c..def11ea777 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -78,12 +78,12 @@ param diagnosticEventHubName string = '' param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -245,10 +245,10 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = { } } -resource azureFirewall_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource azureFirewall_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${azureFirewall.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: azureFirewall @@ -267,7 +267,7 @@ resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticSettings scope: azureFirewall } -module azureFirewall_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module azureFirewall_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AzFW-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index c88446cc56..48fc18f1ba 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -15,6 +15,7 @@ This module deploys a firewall. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/azureFirewalls` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/azureFirewalls) | @@ -48,7 +49,7 @@ This module deploys a firewall. | `firewallPolicyId` | string | `''` | | Resource ID of the Firewall Policy that should be attached. | | `isCreateDefaultPublicIP` | bool | `True` | | Specifies if a public ip should be created by default if one is not provided. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `natRuleCollections` | array | `[]` | | Collection of NAT rule collections used by Azure Firewall. | | `networkRuleCollections` | array | `[]` | | Collection of network rule collections used by Azure Firewall. | | `publicIPAddressObject` | object | `{object}` | | Specifies the properties of the public IP to create and be used by Azure Firewall. If it's not provided and publicIPAddressId is empty, a '-pip' suffix will be appended to the Firewall's name. | @@ -495,9 +496,6 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { "name": { "value": "<>-az-fw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "zones": { "value": [ "1", @@ -637,7 +635,6 @@ module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { name: '${uniqueString(deployment().name)}-azureFirewalls' params: { name: '<>-az-fw-x-001' - lock: 'CanNotDelete' zones: [ '1' '2' diff --git a/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress.bicep b/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress.bicep new file mode 100644 index 0000000000..9d6ee4e273 --- /dev/null +++ b/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress.bicep @@ -0,0 +1,153 @@ +@description('Required. The name of the Public IP Address') +param name string + +@description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') +param publicIPPrefixResourceId string = '' + +@description('Optional. The public IP address allocation method. - Static or Dynamic.') +param publicIPAllocationMethod string = 'Dynamic' + +@description('Optional. Public IP Address sku Name') +param skuName string = 'Basic' + +@description('Optional. Public IP Address pricing tier') +param skuTier string = 'Regional' + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource identifier of log analytics.') +param diagnosticWorkspaceId string = '' + +@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param diagnosticEventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param diagnosticEventHubName string = '' + +@allowed([ + 'CanNotDelete' + 'NotSpecified' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = 'NotSpecified' + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments array = [] + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' +]) +param diagnosticLogCategoriesToEnable array = [ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param diagnosticMetricsToEnable array = [ + 'AllMetrics' +] + +@description('Optional. The name of the diagnostic setting, if deployed.') +param diagnosticSettingsName string = '${name}-diagnosticSettings' + +var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { + category: category + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var publicIPPrefix = { + id: publicIPPrefixResourceId +} + +resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' = { + name: name + location: location + tags: tags + sku: { + name: skuName + tier: skuTier + } + properties: { + publicIPAddressVersion: 'IPv4' + publicIPAllocationMethod: publicIPAllocationMethod + publicIPPrefix: !empty(publicIPPrefixResourceId) ? publicIPPrefix : null + idleTimeoutInMinutes: 4 + ipTags: [] + } +} + +resource publicIpAddress_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${publicIpAddress.name}-${lock}-lock' + properties: { + level: lock + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: publicIpAddress +} + +resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { + name: diagnosticSettingsName + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null + eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null + eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: publicIpAddress +} + +module publicIpAddress_rbac 'nested_publicIPAddress_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${deployment().name}-rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: publicIpAddress.id + } +}] + +@description('The resource group the public IP address was deployed into') +output resourceGroupName string = resourceGroup().name + +@description('The name of the public IP address') +output name string = publicIpAddress.name + +@description('The resource ID of the public IP address') +output resourceId string = publicIpAddress.id diff --git a/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress_rbac.bicep b/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress_rbac.bicep new file mode 100644 index 0000000000..e9f7dacb77 --- /dev/null +++ b/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress_rbac.bicep @@ -0,0 +1,61 @@ +@sys.description('Required. The IDs of the principals to assign the role to.') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') + 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Microsoft OneAsset Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd1bb084-1503-4bd2-99c0-630220046786') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') + 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') + 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') +} + +resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' existing = { + name: last(split(resourceId, '/')) +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: { + name: guid(publicIpAddress.id, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? principalType : null + } + scope: publicIpAddress +}] diff --git a/arm/Microsoft.Network/bastionHosts/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/bastionHosts/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep index 86871886fd..1d560a300a 100644 --- a/arm/Microsoft.Network/bastionHosts/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep @@ -54,7 +54,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: azureBastion }] diff --git a/arm/Microsoft.Network/bastionHosts/.parameters/addpip.parameters.json b/arm/Microsoft.Network/bastionHosts/.parameters/addpip.parameters.json deleted file mode 100644 index 7c82650737..0000000000 --- a/arm/Microsoft.Network/bastionHosts/.parameters/addpip.parameters.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-bas-add-001" - }, - "vNetId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-add-bas" - }, - "additionalPublicIpConfigurations": { - "value": [ - { - "name": "ipConfig01", - "publicIPAddressResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-additional-bas" - } - ] - } - } -} diff --git a/arm/Microsoft.Network/bastionHosts/.parameters/custompip.parameters.json b/arm/Microsoft.Network/bastionHosts/.parameters/custompip.parameters.json deleted file mode 100644 index dbb195e70f..0000000000 --- a/arm/Microsoft.Network/bastionHosts/.parameters/custompip.parameters.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-bas-custompip-001" - }, - "vNetId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-custompip-bas" - }, - "publicIPAddressObject": { - "value": { - "name": "adp-<>-az-pip-custom-x-bas", - "publicIPPrefixResourceId": "", - "publicIPAllocationMethod": "Static", - "skuName": "Standard", - "skuTier": "Regional", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ], - "diagnosticMetricsToEnable": [ - "AllMetrics" - ], - "diagnosticLogCategoriesToEnable": [ - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ] - } - } - } -} diff --git a/arm/Microsoft.Network/bastionHosts/.parameters/parameters.json b/arm/Microsoft.Network/bastionHosts/.parameters/parameters.json index 0f0cf18c07..0b1cd0d25b 100644 --- a/arm/Microsoft.Network/bastionHosts/.parameters/parameters.json +++ b/arm/Microsoft.Network/bastionHosts/.parameters/parameters.json @@ -5,13 +5,10 @@ "name": { "value": "<>-az-bas-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "vNetId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001" }, - "azureBastionSubnetPublicIpId": { + "publicIPAddressId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-bas" }, "skuType": { diff --git a/arm/Microsoft.Network/bastionHosts/deploy.bicep b/arm/Microsoft.Network/bastionHosts/deploy.bicep index be8b1ee09a..e8593a831e 100644 --- a/arm/Microsoft.Network/bastionHosts/deploy.bicep +++ b/arm/Microsoft.Network/bastionHosts/deploy.bicep @@ -7,16 +7,10 @@ param location string = resourceGroup().location @description('Required. Shared services Virtual Network resource identifier.') param vNetId string -@description('Optional. The public ip resource ID to associate to the azureBastionSubnet. If empty, then the public ip that is created as part of this module will be applied to the azureBastionSubnet.') -param azureBastionSubnetPublicIpId string = '' +@description('Optional. Specifies the resource ID of the existing public IP to be leveraged by Azure Bastion.') +param publicIPAddressId string = '' -@description('Optional. This is to add any additional public ip configurations on top of the public ip with subnet ip configuration.') -param additionalPublicIpConfigurations array = [] - -@description('Optional. Specifies if a public ip should be created by default if one is not provided.') -param isCreateDefaultPublicIP bool = true - -@description('Optional. Specifies the properties of the public IP to create and be used by Azure Bastion. If it\'s not provided and publicIPAddressResourceId is empty, a \'-pip\' suffix will be appended to the Bastion\'s name.') +@description('Optional. Specifies the properties of the public IP to create and be used by Azure Bastion. If it\'s not provided and publicIPAddressId is empty, a \'-pip\' suffix will be appended to the Bastion\'s name.') param publicIPAddressObject object = {} @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @@ -37,12 +31,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @allowed([ 'Basic' @@ -85,46 +79,6 @@ var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { var scaleUnits_var = skuType == 'Basic' ? 2 : scaleUnits -var additionalPublicIpConfigurations_var = [for ipConfiguration in additionalPublicIpConfigurations: { - name: ipConfiguration.name - properties: { - publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? { - id: ipConfiguration.publicIPAddressResourceId - } : null - } -}] - -// ---------------------------------------------------------------------------- -// Prep ipConfigurations object AzureBastionSubnet for different uses cases: -// 1. Use existing public ip -// 2. Use new public ip created in this module -// 3. Do not use a public ip if isCreateDefaultPublicIP is false -var subnet_var = { - subnet: { - id: '${vNetId}/subnets/AzureBastionSubnet' // The subnet name must be AzureBastionSubnet - } -} -var existingPip = { - publicIPAddress: { - id: azureBastionSubnetPublicIpId - } -} -var newPip = { - publicIPAddress: (empty(azureBastionSubnetPublicIpId) && isCreateDefaultPublicIP) ? { - id: publicIPAddress.outputs.resourceId - } : null -} - -var ipConfigurations = concat([ - { - name: 'IpConfAzureBastionSubnet' - //Use existing public ip, new public ip created in this module, or none if isCreateDefaultPublicIP is false - properties: union(subnet_var, !empty(azureBastionSubnetPublicIpId) ? existingPip : {}, (isCreateDefaultPublicIP ? newPip : {})) - } -], additionalPublicIpConfigurations_var) - -// ---------------------------------------------------------------------------- - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -137,34 +91,42 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -module publicIPAddress '../publicIPAddresses/deploy.bicep' = if (empty(azureBastionSubnetPublicIpId) && isCreateDefaultPublicIP) { +resource publicIPAddressExisting 'Microsoft.Network/publicIPAddresses@2021-05-01' existing = if (!empty(publicIPAddressId)) { + name: last(split(publicIPAddressId, '/')) + scope: resourceGroup(split(publicIPAddressId, '/')[2], split(publicIPAddressId, '/')[4]) +} + +module publicIPAddress '.bicep/nested_publicIPAddress.bicep' = if (empty(publicIPAddressId)) { name: '${uniqueString(deployment().name, location)}-Bastion-PIP' params: { - name: contains(publicIPAddressObject, 'name') ? publicIPAddressObject.name : '${name}-pip' - diagnosticLogCategoriesToEnable: contains(publicIPAddressObject, 'diagnosticLogCategoriesToEnable') ? publicIPAddressObject.diagnosticLogCategoriesToEnable : [ + name: contains(publicIPAddressObject, 'name') ? (!(empty(publicIPAddressObject.name)) ? publicIPAddressObject.name : '${name}-pip') : '${name}-pip' + publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? (!(empty(publicIPAddressObject.publicIPPrefixResourceId)) ? publicIPAddressObject.publicIPPrefixResourceId : '') : '' + publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? (!(empty(publicIPAddressObject.publicIPAllocationMethod)) ? publicIPAddressObject.publicIPAllocationMethod : 'Static') : 'Static' + skuName: contains(publicIPAddressObject, 'skuName') ? (!(empty(publicIPAddressObject.skuName)) ? publicIPAddressObject.skuName : 'Standard') : 'Standard' + skuTier: contains(publicIPAddressObject, 'skuTier') ? (!(empty(publicIPAddressObject.skuTier)) ? publicIPAddressObject.skuTier : 'Regional') : 'Regional' + roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? (!empty(publicIPAddressObject.roleAssignments) ? publicIPAddressObject.roleAssignments : []) : [] + diagnosticMetricsToEnable: contains(publicIPAddressObject, 'diagnosticMetricsToEnable') ? (!(empty(publicIPAddressObject.diagnosticMetricsToEnable)) ? publicIPAddressObject.diagnosticMetricsToEnable : [ + 'AllMetrics' + ]) : [ + 'AllMetrics' + ] + diagnosticLogCategoriesToEnable: contains(publicIPAddressObject, 'diagnosticLogCategoriesToEnable') ? (!(empty(publicIPAddressObject.diagnosticLogCategoriesToEnable)) ? publicIPAddressObject.diagnosticLogCategoriesToEnable : [ + 'DDoSProtectionNotifications' + 'DDoSMitigationFlowLogs' + 'DDoSMitigationReports' + ]) : [ 'DDoSProtectionNotifications' 'DDoSMitigationFlowLogs' 'DDoSMitigationReports' ] - diagnosticMetricsToEnable: contains(publicIPAddressObject, 'diagnosticMetricsToEnable') ? publicIPAddressObject.diagnosticMetricsToEnable : [ - 'AllMetrics' - ] + location: location diagnosticStorageAccountId: diagnosticStorageAccountId diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays diagnosticWorkspaceId: diagnosticWorkspaceId diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId diagnosticEventHubName: diagnosticEventHubName - enableDefaultTelemetry: enableDefaultTelemetry - location: location lock: lock - publicIPAddressVersion: contains(publicIPAddressObject, 'publicIPAddressVersion') ? publicIPAddressObject.publicIPAddressVersion : 'IPv4' - publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? publicIPAddressObject.publicIPAllocationMethod : 'Static' - publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? publicIPAddressObject.publicIPPrefixResourceId : '' - roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? publicIPAddressObject.roleAssignments : [] - skuName: contains(publicIPAddressObject, 'skuName') ? publicIPAddressObject.skuName : 'Standard' - skuTier: contains(publicIPAddressObject, 'skuTier') ? publicIPAddressObject.skuTier : 'Regional' tags: tags - zones: contains(publicIPAddressObject, 'zones') ? publicIPAddressObject.zones : [] } } @@ -177,14 +139,26 @@ resource azureBastion 'Microsoft.Network/bastionHosts@2021-05-01' = { } properties: { scaleUnits: scaleUnits_var - ipConfigurations: ipConfigurations + ipConfigurations: [ + { + name: 'IpConf' + properties: { + subnet: { + id: '${vNetId}/subnets/AzureBastionSubnet' + } + publicIPAddress: { + id: !(empty(publicIPAddressId)) ? publicIPAddressId : publicIPAddress.outputs.resourceId + } + } + } + ] } } -resource azureBastion_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource azureBastion_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${azureBastion.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: azureBastion @@ -202,7 +176,7 @@ resource azureBastion_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@ scope: azureBastion } -module azureBastion_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module azureBastion_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Bastion-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -224,6 +198,3 @@ output resourceId string = azureBastion.id @description('The location the resource was deployed into.') output location string = azureBastion.location - -@description('The public ipconfiguration object for the AzureBastionSubnet.') -output ipConfAzureBastionSubnet object = azureBastion.properties.ipConfigurations[0] diff --git a/arm/Microsoft.Network/bastionHosts/readme.md b/arm/Microsoft.Network/bastionHosts/readme.md index b948f83625..54dad8d328 100644 --- a/arm/Microsoft.Network/bastionHosts/readme.md +++ b/arm/Microsoft.Network/bastionHosts/readme.md @@ -30,8 +30,6 @@ This module deploys a bastion host. **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `additionalPublicIpConfigurations` | array | `[]` | | This is to add any additional public ip configurations on top of the public ip with subnet ip configuration. | -| `azureBastionSubnetPublicIpId` | string | `''` | | The public ip resource ID to associate to the azureBastionSubnet. If empty, then the public ip that is created as part of this module will be applied to the azureBastionSubnet. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[BastionAuditLogs]` | `[BastionAuditLogs]` | Optional. The name of bastion logs that will be streamed. | @@ -40,137 +38,16 @@ This module deploys a bastion host. | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `isCreateDefaultPublicIP` | bool | `True` | | Specifies if a public ip should be created by default if one is not provided. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `publicIPAddressObject` | object | `{object}` | | Specifies the properties of the public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | +| `publicIPAddressId` | string | `''` | | Specifies the resource ID of the existing public IP to be leveraged by Azure Bastion. | +| `publicIPAddressObject` | object | `{object}` | | Specifies the properties of the public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressId is empty, a '-pip' suffix will be appended to the Bastion's name. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `scaleUnits` | int | `2` | | The scale units for the Bastion Host resource. | | `skuType` | string | `'Basic'` | `[Basic, Standard]` | The SKU of this Bastion Host. | | `tags` | object | `{object}` | | Tags of the resource. | -### Parameter Usage: `additionalPublicIpConfigurations` - -Create additional public ip configurations from existing public ips - -

- -Parameter JSON format - -```json -"additionalPublicIpConfigurations": { - "value": [ - { - "name": "ipConfig01", - "publicIPAddressResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-fw-01" - }, - { - "name": "ipConfig02", - "publicIPAddressResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-fw-02" - } - ] -} -``` - -
- -
- -Bicep format - -```bicep -additionalPublicIpConfigurations: [ - { - name: 'ipConfig01' - publicIPAddressResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-fw-01' - } - { - name: 'ipConfig02' - publicIPAddressResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-fw-02' - } -] -``` - -
- - -### Parameter Usage: `publicIPAddressObject` - -The Public IP Address object to create as part of the module. This will be created if `isCreateDefaultPublicIP` is true (which it is by default). If not provided, the name and other configurations will be set by default. - - -
- -Parameter JSON format - -```json -"publicIPAddressObject": { - "value": { - "name": "adp-<>-az-pip-custom-x-fw", - "publicIPPrefixResourceId": "", - "publicIPAllocationMethod": "Static", - "skuName": "Standard", - "skuTier": "Regional", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ], - "diagnosticMetricsToEnable": [ - "AllMetrics" - ], - "diagnosticLogCategoriesToEnable": [ - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ] - } -} -``` - -
- - - -
- -Bicep format - - -```bicep -publicIPAddressObject: { - name: 'mypip' - publicIPPrefixResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPPrefixes/myprefix' - publicIPAllocationMethod: 'Dynamic' - skuName: 'Basic' - skuTier: 'Regional' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '<>' - ] - } - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] - diagnosticLogCategoriesToEnable: [ - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - ] -} -``` - -
- - - ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -275,7 +152,6 @@ roleAssignments: [ | Output Name | Type | Description | | :-- | :-- | :-- | -| `ipConfAzureBastionSubnet` | object | The public ipconfiguration object for the AzureBastionSubnet. | | `location` | string | The location the resource was deployed into. | | `name` | string | The name the Azure Bastion. | | `resourceGroupName` | string | The resource group the Azure Bastion was deployed into. | @@ -289,148 +165,6 @@ roleAssignments: [ via JSON Parameter file -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-bas-add-001" - }, - "vNetId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-add-bas" - }, - "additionalPublicIpConfigurations": { - "value": [ - { - "name": "ipConfig01", - "publicIPAddressResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-additional-bas" - } - ] - } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -module bastionHosts './Microsoft.Network/bastionHosts/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-bastionHosts' - params: { - name: '<>-az-bas-add-001' - vNetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-add-bas' - additionalPublicIpConfigurations: [ - { - name: 'ipConfig01' - publicIPAddressResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-additional-bas' - } - ] - } -``` - -
-

- -

Example 2

- -
- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-bas-custompip-001" - }, - "vNetId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-custompip-bas" - }, - "publicIPAddressObject": { - "value": { - "name": "adp-<>-az-pip-custom-x-bas", - "publicIPPrefixResourceId": "", - "publicIPAllocationMethod": "Static", - "skuName": "Standard", - "skuTier": "Regional", - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ], - "diagnosticMetricsToEnable": [ - "AllMetrics" - ], - "diagnosticLogCategoriesToEnable": [ - "DDoSProtectionNotifications", - "DDoSMitigationFlowLogs", - "DDoSMitigationReports" - ] - } - } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -module bastionHosts './Microsoft.Network/bastionHosts/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-bastionHosts' - params: { - name: '<>-az-bas-custompip-001' - vNetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-custompip-bas' - publicIPAddressObject: { - name: 'adp-<>-az-pip-custom-x-bas' - publicIPPrefixResourceId: '' - publicIPAllocationMethod: 'Static' - skuName: 'Standard' - skuTier: 'Regional' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '<>' - ] - } - ] - diagnosticMetricsToEnable: [ - 'AllMetrics' - ] - diagnosticLogCategoriesToEnable: [ - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - ] - } - } -``` - -
-

- -

Example 3

- -
- -via JSON Parameter file - ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", @@ -465,7 +199,7 @@ module bastionHosts './Microsoft.Network/bastionHosts/deploy.bicep' = {

-

Example 4

+

Example 2

@@ -479,13 +213,10 @@ module bastionHosts './Microsoft.Network/bastionHosts/deploy.bicep' = { "name": { "value": "<>-az-bas-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "vNetId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001" }, - "azureBastionSubnetPublicIpId": { + "publicIPAddressId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-bas" }, "skuType": { @@ -535,9 +266,8 @@ module bastionHosts './Microsoft.Network/bastionHosts/deploy.bicep' = { name: '${uniqueString(deployment().name)}-bastionHosts' params: { name: '<>-az-bas-x-001' - lock: 'CanNotDelete' vNetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001' - azureBastionSubnetPublicIpId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-bas' + publicIPAddressId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-bas' skuType: 'Standard' scaleUnits: 4 roleAssignments: [ diff --git a/arm/Microsoft.Network/connections/.parameters/vnet2vnet.parameters.json b/arm/Microsoft.Network/connections/.parameters/vnet2vnet.parameters.json index c58d1a4593..b1734ef616 100644 --- a/arm/Microsoft.Network/connections/.parameters/vnet2vnet.parameters.json +++ b/arm/Microsoft.Network/connections/.parameters/vnet2vnet.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-vnetgwc-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "virtualNetworkGateway1": { "value": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworkGateways/<>-az-vnet-vpn-gw-p-001" diff --git a/arm/Microsoft.Network/connections/deploy.bicep b/arm/Microsoft.Network/connections/deploy.bicep index d5e2464990..cece8af8ab 100644 --- a/arm/Microsoft.Network/connections/deploy.bicep +++ b/arm/Microsoft.Network/connections/deploy.bicep @@ -38,12 +38,12 @@ param customIPSecPolicy object = { param routingWeight int = -1 @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -106,10 +106,10 @@ resource connection 'Microsoft.Network/connections@2021-05-01' = { } } -resource connection_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource connection_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${connection.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: connection diff --git a/arm/Microsoft.Network/connections/readme.md b/arm/Microsoft.Network/connections/readme.md index 1aa105ca5c..f073ea87cb 100644 --- a/arm/Microsoft.Network/connections/readme.md +++ b/arm/Microsoft.Network/connections/readme.md @@ -32,7 +32,7 @@ This template deploys a virtual network gateway connection. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `localNetworkGateway2` | object | `{object}` | | The local network gateway. Used for connection type [IPsec]. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `peer` | object | `{object}` | | The remote peer. Used for connection type [ExpressRoute]. | | `routingWeight` | int | `-1` | | The weight added to routes learned from this BGP speaker. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -318,9 +318,6 @@ tags: { "name": { "value": "<>-az-vnetgwc-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "virtualNetworkGateway1": { "value": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworkGateways/<>-az-vnet-vpn-gw-p-001" @@ -369,14 +366,28 @@ module connections './Microsoft.Network/connections/deploy.bicep' = { name: '${uniqueString(deployment().name)}-connections' params: { name: '<>-az-vnetgwc-x-001' - lock: 'CanNotDelete' virtualNetworkGateway1: { id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworkGateways/<>-az-vnet-vpn-gw-p-001' } virtualNetworkGateway2: { id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworkGateways/<>-az-vnet-vpn-gw-p-002' } - vpnSharedKey: kv1.getSecret('vpnSharedKey') + vpnSharedKey: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'vpnSharedKey' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] virtualNetworkGatewayConnectionType: 'Vnet2Vnet' enableBgp: false location: 'eastus' diff --git a/arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_rbac.bicep index 52f9158a47..5c526121e5 100644 --- a/arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/ddosProtectionPlans/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: ddosProtectionPlan }] diff --git a/arm/Microsoft.Network/ddosProtectionPlans/.parameters/parameters.json b/arm/Microsoft.Network/ddosProtectionPlans/.parameters/parameters.json index fe639affc6..3d697dee91 100644 --- a/arm/Microsoft.Network/ddosProtectionPlans/.parameters/parameters.json +++ b/arm/Microsoft.Network/ddosProtectionPlans/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-ddos-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Network/ddosProtectionPlans/deploy.bicep b/arm/Microsoft.Network/ddosProtectionPlans/deploy.bicep index 55550d003f..a1006d95f9 100644 --- a/arm/Microsoft.Network/ddosProtectionPlans/deploy.bicep +++ b/arm/Microsoft.Network/ddosProtectionPlans/deploy.bicep @@ -6,12 +6,12 @@ param name string = '' param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -41,16 +41,16 @@ resource ddosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2021-05-01' = properties: {} } -resource ddosProtectionPlan_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource ddosProtectionPlan_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${ddosProtectionPlan.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: ddosProtectionPlan } -module ddosProtectionPlan_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module ddosProtectionPlan_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-DDoSProtectionPlan-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/ddosProtectionPlans/readme.md b/arm/Microsoft.Network/ddosProtectionPlans/readme.md index 6474521878..ced1a5a985 100644 --- a/arm/Microsoft.Network/ddosProtectionPlans/readme.md +++ b/arm/Microsoft.Network/ddosProtectionPlans/readme.md @@ -29,7 +29,7 @@ This template deploys a DDoS protection plan. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -159,9 +159,6 @@ tags: { "name": { "value": "<>-az-ddos-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -188,7 +185,6 @@ module ddosProtectionPlans './Microsoft.Network/ddosProtectionPlans/deploy.bicep name: '${uniqueString(deployment().name)}-ddosProtectionPlans' params: { name: '<>-az-ddos-x-001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep index 0ff9bad986..ac5f3b063d 100644 --- a/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: expressRouteCircuits }] diff --git a/arm/Microsoft.Network/expressRouteCircuits/.parameters/parameters.json b/arm/Microsoft.Network/expressRouteCircuits/.parameters/parameters.json index fa4209859e..8050f44069 100644 --- a/arm/Microsoft.Network/expressRouteCircuits/.parameters/parameters.json +++ b/arm/Microsoft.Network/expressRouteCircuits/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-erc-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "serviceProviderName": { "value": "Equinix" }, diff --git a/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep b/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep index 52d3866895..591a386f46 100644 --- a/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep +++ b/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep @@ -75,12 +75,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -174,10 +174,10 @@ resource expressRouteCircuits 'Microsoft.Network/expressRouteCircuits@2021-05-01 } } -resource expressRouteCircuits_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource expressRouteCircuits_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${expressRouteCircuits.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: expressRouteCircuits @@ -196,7 +196,7 @@ resource expressRouteCircuits_diagnosticSettings 'Microsoft.Insights/diagnosticS scope: expressRouteCircuits } -module expressRouteCircuits_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module expressRouteCircuits_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-ExpRouteCircuits-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/expressRouteCircuits/readme.md b/arm/Microsoft.Network/expressRouteCircuits/readme.md index 3a0b17d5cd..f724febd2e 100644 --- a/arm/Microsoft.Network/expressRouteCircuits/readme.md +++ b/arm/Microsoft.Network/expressRouteCircuits/readme.md @@ -43,7 +43,7 @@ This template deploys an express route circuit. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `peerASN` | int | `0` | | The autonomous system number of the customer/connectivity provider. | | `peering` | bool | `False` | `[True, False]` | Enabled BGP peering type for the Circuit. | | `peeringType` | string | `'AzurePrivatePeering'` | `[AzurePrivatePeering, MicrosoftPeering]` | BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering. | @@ -181,9 +181,6 @@ tags: { "name": { "value": "<>-az-erc-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "serviceProviderName": { "value": "Equinix" }, @@ -240,7 +237,6 @@ module expressRouteCircuits './Microsoft.Network/expressRouteCircuits/deploy.bic name: '${uniqueString(deployment().name)}-expressRouteCircuits' params: { name: '<>-az-erc-x-001' - lock: 'CanNotDelete' serviceProviderName: 'Equinix' peeringLocation: 'Amsterdam' bandwidthInMbps: 50 diff --git a/arm/Microsoft.Network/firewallPolicies/deploy.bicep b/arm/Microsoft.Network/firewallPolicies/deploy.bicep index 1c86b92bfe..3f8829cedd 100644 --- a/arm/Microsoft.Network/firewallPolicies/deploy.bicep +++ b/arm/Microsoft.Network/firewallPolicies/deploy.bicep @@ -91,7 +91,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -167,7 +167,7 @@ module firewallPolicy_ruleCollectionGroups 'ruleCollectionGroups/deploy.bicep' = name: ruleCollectionGroup.name priority: ruleCollectionGroup.priority ruleCollections: ruleCollectionGroup.ruleCollections - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.Network/frontDoors/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/frontDoors/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/frontDoors/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/frontDoors/.bicep/nested_rbac.bicep index 9a72de9cc3..bdccbdc212 100644 --- a/arm/Microsoft.Network/frontDoors/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/frontDoors/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: frontDoor }] diff --git a/arm/Microsoft.Network/frontDoors/.parameters/parameters.json b/arm/Microsoft.Network/frontDoors/.parameters/parameters.json index e52cca17f9..60be79daa6 100644 --- a/arm/Microsoft.Network/frontDoors/.parameters/parameters.json +++ b/arm/Microsoft.Network/frontDoors/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-fd-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "backendPools": { "value": [ { diff --git a/arm/Microsoft.Network/frontDoors/deploy.bicep b/arm/Microsoft.Network/frontDoors/deploy.bicep index 868746dc0e..1fd96fbb1b 100644 --- a/arm/Microsoft.Network/frontDoors/deploy.bicep +++ b/arm/Microsoft.Network/frontDoors/deploy.bicep @@ -7,12 +7,12 @@ param name string param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -135,10 +135,10 @@ resource frontDoor 'Microsoft.Network/frontDoors@2020-05-01' = { } } -resource frontDoor_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource frontDoor_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${frontDoor.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: frontDoor @@ -157,7 +157,7 @@ resource frontDoor_diagnosticSettingName 'Microsoft.Insights/diagnosticSettings@ scope: frontDoor } -module frontDoor_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module frontDoor_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AppGateway-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/frontDoors/readme.md b/arm/Microsoft.Network/frontDoors/readme.md index ff24dba8e8..e70260512e 100644 --- a/arm/Microsoft.Network/frontDoors/readme.md +++ b/arm/Microsoft.Network/frontDoors/readme.md @@ -44,7 +44,7 @@ This module deploys Front Doors. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `enforceCertificateNameCheck` | string | `'Disabled'` | | Enforce certificate name check of the frontdoor resource. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `logsToEnable` | array | `[FrontdoorAccessLog, FrontdoorWebApplicationFirewallLog]` | `[FrontdoorAccessLog, FrontdoorWebApplicationFirewallLog]` | The name of logs that will be streamed. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -176,9 +176,6 @@ tags: { "name": { "value": "<>-az-fd-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "backendPools": { "value": [ { @@ -298,7 +295,6 @@ module frontDoors './Microsoft.Network/frontDoors/deploy.bicep' = { name: '${uniqueString(deployment().name)}-frontDoors' params: { name: '<>-az-fd-x-001' - lock: 'CanNotDelete' backendPools: [ { name: 'backendPool' diff --git a/arm/Microsoft.Network/ipGroups/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/ipGroups/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/ipGroups/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/ipGroups/.bicep/nested_rbac.bicep index 7ba5a78310..287aed0049 100644 --- a/arm/Microsoft.Network/ipGroups/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/ipGroups/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: ipGroup }] diff --git a/arm/Microsoft.Network/ipGroups/.parameters/parameters.json b/arm/Microsoft.Network/ipGroups/.parameters/parameters.json index b30fd0db80..88c2f5a13e 100644 --- a/arm/Microsoft.Network/ipGroups/.parameters/parameters.json +++ b/arm/Microsoft.Network/ipGroups/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "iacsGroup-servers" }, - "lock": { - "value": "CanNotDelete" - }, "ipAddresses": { "value": [ "10.0.0.1", diff --git a/arm/Microsoft.Network/ipGroups/deploy.bicep b/arm/Microsoft.Network/ipGroups/deploy.bicep index 5c8742665b..c9a4c54e45 100644 --- a/arm/Microsoft.Network/ipGroups/deploy.bicep +++ b/arm/Microsoft.Network/ipGroups/deploy.bicep @@ -9,12 +9,12 @@ param location string = resourceGroup().location param ipAddresses array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -46,16 +46,16 @@ resource ipGroup 'Microsoft.Network/ipGroups@2021-05-01' = { } } -resource ipGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource ipGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${ipGroup.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: ipGroup } -module ipGroup_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module ipGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-IPGroup-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/ipGroups/readme.md b/arm/Microsoft.Network/ipGroups/readme.md index 894f7542b4..785984a6e9 100644 --- a/arm/Microsoft.Network/ipGroups/readme.md +++ b/arm/Microsoft.Network/ipGroups/readme.md @@ -30,7 +30,7 @@ This module deploys an IP group. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `ipAddresses` | array | `[]` | | IpAddresses/IpAddressPrefixes in the IpGroups resource. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Resource tags. | @@ -160,9 +160,6 @@ tags: { "name": { "value": "iacsGroup-servers" }, - "lock": { - "value": "CanNotDelete" - }, "ipAddresses": { "value": [ "10.0.0.1", @@ -195,7 +192,6 @@ module ipGroups './Microsoft.Network/ipGroups/deploy.bicep' = { name: '${uniqueString(deployment().name)}-ipGroups' params: { name: 'iacsGroup-servers' - lock: 'CanNotDelete' ipAddresses: [ '10.0.0.1' '10.0.0.2' diff --git a/arm/Microsoft.Network/loadBalancers/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/loadBalancers/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep index cfde136ee4..ed9dc8756e 100644 --- a/arm/Microsoft.Network/loadBalancers/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep @@ -53,7 +53,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: loadBalancer }] diff --git a/arm/Microsoft.Network/loadBalancers/.parameters/parameters.json b/arm/Microsoft.Network/loadBalancers/.parameters/parameters.json index df44d93edf..8ed7862388 100644 --- a/arm/Microsoft.Network/loadBalancers/.parameters/parameters.json +++ b/arm/Microsoft.Network/loadBalancers/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-lb-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "frontendIPConfigurations": { "value": [ { diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index 1ace647746..c1758136af 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -42,12 +42,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -152,7 +152,7 @@ param diagnosticMetricsToEnable array = [ @description('Optional. The name of the diagnostic setting, if deployed.') param diagnosticSettingsName string = '${name}-diagnosticSettings' -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { category: metric @@ -199,7 +199,7 @@ module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [fo name: backendAddressPool.name tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : [] loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -218,17 +218,17 @@ module loadBalancer_inboundNATRules 'inboundNatRules/deploy.bicep' = [for (inbou frontendPortRangeStart: contains(inboundNATRule, 'frontendPortRangeStart') ? inboundNATRule.frontendPortRangeStart : -1 idleTimeoutInMinutes: contains(inboundNATRule, 'idleTimeoutInMinutes') ? inboundNATRule.idleTimeoutInMinutes : 4 protocol: contains(inboundNATRule, 'protocol') ? inboundNATRule.protocol : 'Tcp' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ loadBalancer_backendAddressPools ] }] -resource loadBalancer_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource loadBalancer_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${loadBalancer.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: loadBalancer @@ -246,7 +246,7 @@ resource loadBalancer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@ scope: loadBalancer } -module loadBalancer_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module loadBalancer_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-LoadBalancer-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/loadBalancers/readme.md b/arm/Microsoft.Network/loadBalancers/readme.md index 8b7e53b520..0567c9c88b 100644 --- a/arm/Microsoft.Network/loadBalancers/readme.md +++ b/arm/Microsoft.Network/loadBalancers/readme.md @@ -44,7 +44,7 @@ This module deploys a load balancer. | `loadBalancerSku` | string | `'Standard'` | `[Basic, Standard]` | Name of a load balancer SKU. | | `loadBalancingRules` | array | `[]` | | Array of objects containing all load balancing rules. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `outboundRules` | array | `[]` | | The outbound rules. | | `probes` | array | `[]` | | Array of objects containing all probes, these are references in the load balancing rules. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -719,9 +719,6 @@ module loadBalancers './Microsoft.Network/loadBalancers/deploy.bicep' = { "name": { "value": "<>-az-lb-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "frontendIPConfigurations": { "value": [ { @@ -855,7 +852,6 @@ module loadBalancers './Microsoft.Network/loadBalancers/deploy.bicep' = { name: '${uniqueString(deployment().name)}-loadBalancers' params: { name: '<>-az-lb-x-001' - lock: 'CanNotDelete' frontendIPConfigurations: [ { name: 'publicIPConfig1' diff --git a/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/localNetworkGateways/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep index 13456f25a4..5c4f818d7f 100644 --- a/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: localNetworkGateway }] diff --git a/arm/Microsoft.Network/localNetworkGateways/.parameters/parameters.json b/arm/Microsoft.Network/localNetworkGateways/.parameters/parameters.json index f2d289d373..878777fb13 100644 --- a/arm/Microsoft.Network/localNetworkGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/localNetworkGateways/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-lng-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "localAddressPrefixes": { "value": [ "192.168.1.0/24" diff --git a/arm/Microsoft.Network/localNetworkGateways/deploy.bicep b/arm/Microsoft.Network/localNetworkGateways/deploy.bicep index 12d5d30798..0957133b2a 100644 --- a/arm/Microsoft.Network/localNetworkGateways/deploy.bicep +++ b/arm/Microsoft.Network/localNetworkGateways/deploy.bicep @@ -21,12 +21,12 @@ param localBgpPeeringAddress string = '' param localPeerWeight string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -72,16 +72,16 @@ resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2021-08-01' } } -resource localNetworkGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource localNetworkGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${localNetworkGateway.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: localNetworkGateway } -module localNetworkGateway_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module localNetworkGateway_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-LocalNetworkGateway-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/localNetworkGateways/readme.md b/arm/Microsoft.Network/localNetworkGateways/readme.md index 8b4a48f561..86d6fb57f8 100644 --- a/arm/Microsoft.Network/localNetworkGateways/readme.md +++ b/arm/Microsoft.Network/localNetworkGateways/readme.md @@ -35,7 +35,7 @@ This module deploys a local network gateway. | `localBgpPeeringAddress` | string | `''` | | The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource. | | `localPeerWeight` | string | `''` | | The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -165,9 +165,6 @@ tags: { "name": { "value": "<>-az-lng-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "localAddressPrefixes": { "value": [ "192.168.1.0/24" @@ -208,7 +205,6 @@ module localNetworkGateways './Microsoft.Network/localNetworkGateways/deploy.bic name: '${uniqueString(deployment().name)}-localNetworkGateways' params: { name: '<>-az-lng-x-001' - lock: 'CanNotDelete' localAddressPrefixes: [ '192.168.1.0/24' ] diff --git a/arm/Microsoft.Network/natGateways/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/natGateways/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/natGateways/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/natGateways/.bicep/nested_rbac.bicep index f39bd3d187..ae8f0e0619 100644 --- a/arm/Microsoft.Network/natGateways/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/natGateways/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: natGateway }] diff --git a/arm/Microsoft.Network/natGateways/.parameters/parameters.json b/arm/Microsoft.Network/natGateways/.parameters/parameters.json index ec9c2014d9..6f5ac729cf 100644 --- a/arm/Microsoft.Network/natGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/natGateways/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-ngw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "natGatewayPublicIpAddress": { "value": true }, diff --git a/arm/Microsoft.Network/natGateways/deploy.bicep b/arm/Microsoft.Network/natGateways/deploy.bicep index a313811a1f..d026761804 100644 --- a/arm/Microsoft.Network/natGateways/deploy.bicep +++ b/arm/Microsoft.Network/natGateways/deploy.bicep @@ -46,12 +46,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -149,10 +149,10 @@ resource publicIP 'Microsoft.Network/publicIPAddresses@2021-05-01' = if (natGate } } -resource publicIP_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource publicIP_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${publicIP.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: publicIP @@ -184,16 +184,16 @@ resource natGateway 'Microsoft.Network/natGateways@2021-05-01' = { zones: zones } -resource natGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource natGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${natGateway.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: natGateway } -module natGateway_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module natGateway_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-NatGateway-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/natGateways/readme.md b/arm/Microsoft.Network/natGateways/readme.md index c74f24219b..54813a742e 100644 --- a/arm/Microsoft.Network/natGateways/readme.md +++ b/arm/Microsoft.Network/natGateways/readme.md @@ -40,7 +40,7 @@ This module deploys a NAT gateway. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `idleTimeoutInMinutes` | int | `5` | | The idle timeout of the nat gateway. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `natGatewayDomainNameLabel` | string | `''` | | DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com. | | `natGatewayPipName` | string | `''` | | Specifies the name of the Public IP used by the NAT Gateway. If it's not provided, a '-pip' suffix will be appended to the Bastion's name. | | `natGatewayPublicIpAddress` | bool | `False` | | Use to have a new Public IP Address created for the NAT Gateway. | @@ -177,9 +177,6 @@ tags: { "name": { "value": "<>-az-ngw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "natGatewayPublicIpAddress": { "value": true }, @@ -224,7 +221,6 @@ module natGateways './Microsoft.Network/natGateways/deploy.bicep' = { name: '${uniqueString(deployment().name)}-natGateways' params: { name: '<>-az-ngw-x-001' - lock: 'CanNotDelete' natGatewayPublicIpAddress: true roleAssignments: [ { diff --git a/arm/Microsoft.Network/networkInterfaces/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/networkInterfaces/.bicep/nested_rbac.bicep similarity index 100% rename from arm/Microsoft.Network/networkInterfaces/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/networkInterfaces/.bicep/nested_rbac.bicep diff --git a/arm/Microsoft.Network/networkInterfaces/.parameters/parameters.json b/arm/Microsoft.Network/networkInterfaces/.parameters/parameters.json index b0cc8d9757..7eb7ebc50f 100644 --- a/arm/Microsoft.Network/networkInterfaces/.parameters/parameters.json +++ b/arm/Microsoft.Network/networkInterfaces/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-nic-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Network/networkInterfaces/deploy.bicep b/arm/Microsoft.Network/networkInterfaces/deploy.bicep index 34fe2c04bf..611c37b801 100644 --- a/arm/Microsoft.Network/networkInterfaces/deploy.bicep +++ b/arm/Microsoft.Network/networkInterfaces/deploy.bicep @@ -26,12 +26,12 @@ param networkSecurityGroupResourceId string = '' param ipConfigurations array @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -105,9 +105,9 @@ resource networkInterface 'Microsoft.Network/networkInterfaces@2021-05-01' = { primary: index == 0 ? true : false privateIPAllocationMethod: contains(ipConfiguration, 'privateIPAllocationMethod') ? (!empty(ipConfiguration.privateIPAllocationMethod) ? ipConfiguration.privateIPAllocationMethod : null) : null privateIPAddress: contains(ipConfiguration, 'vmIPAddress') ? (!empty(ipConfiguration.vmIPAddress) ? ipConfiguration.vmIPAddress : null) : null - publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? (ipConfiguration.publicIPAddressResourceId != null ? { + publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? { id: ipConfiguration.publicIPAddressResourceId - } : null) : null + } : null subnet: { id: ipConfiguration.subnetId } @@ -135,16 +135,16 @@ resource networkInterface_diagnosticSettings 'Microsoft.Insights/diagnosticSetti scope: networkInterface } -resource networkInterface_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource networkInterface_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${networkInterface.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: networkInterface } -module networkInterface_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module networkInterface_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-NIC-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/networkInterfaces/readme.md b/arm/Microsoft.Network/networkInterfaces/readme.md index 990abb30e0..58ed128aa1 100644 --- a/arm/Microsoft.Network/networkInterfaces/readme.md +++ b/arm/Microsoft.Network/networkInterfaces/readme.md @@ -41,7 +41,7 @@ This module deploys Network Interfaces. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `enableIPForwarding` | bool | `False` | | Indicates whether IP forwarding is enabled on this network interface. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `networkSecurityGroupResourceId` | string | `''` | | The network security group (NSG) to attach to the network interface. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -243,9 +243,6 @@ module networkInterfaces './Microsoft.Network/networkInterfaces/deploy.bicep' = "name": { "value": "<>-az-nic-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -305,7 +302,6 @@ module networkInterfaces './Microsoft.Network/networkInterfaces/deploy.bicep' = name: '${uniqueString(deployment().name)}-networkInterfaces' params: { name: '<>-az-nic-x-001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_rbac.bicep index c25e77324b..3476acd611 100644 --- a/arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/networkSecurityGroups/.bicep/nested_rbac.bicep @@ -52,7 +52,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: networkSecurityGroup }] diff --git a/arm/Microsoft.Network/networkSecurityGroups/.parameters/parameters.json b/arm/Microsoft.Network/networkSecurityGroups/.parameters/parameters.json index 26cbb1eb56..c8f75d3aaf 100644 --- a/arm/Microsoft.Network/networkSecurityGroups/.parameters/parameters.json +++ b/arm/Microsoft.Network/networkSecurityGroups/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-nsg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "securityRules": { "value": [ { diff --git a/arm/Microsoft.Network/networkSecurityGroups/deploy.bicep b/arm/Microsoft.Network/networkSecurityGroups/deploy.bicep index 3e51280910..4aa11c1808 100644 --- a/arm/Microsoft.Network/networkSecurityGroups/deploy.bicep +++ b/arm/Microsoft.Network/networkSecurityGroups/deploy.bicep @@ -25,12 +25,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -54,7 +54,7 @@ param diagnosticLogCategoriesToEnable array = [ @description('Optional. The name of the diagnostic setting, if deployed.') param diagnosticSettingsName string = '${name}-diagnosticSettings' -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { category: category @@ -125,14 +125,14 @@ module networkSecurityGroup_securityRules 'securityRules/deploy.bicep' = [for (s destinationAddressPrefixes: contains(securityRule.properties, 'destinationAddressPrefixes') ? securityRule.properties.destinationAddressPrefixes : [] sourceApplicationSecurityGroups: contains(securityRule.properties, 'sourceApplicationSecurityGroups') ? securityRule.properties.sourceApplicationSecurityGroups : [] destinationApplicationSecurityGroups: contains(securityRule.properties, 'destinationApplicationSecurityGroups') ? securityRule.properties.destinationApplicationSecurityGroups : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource networkSecurityGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource networkSecurityGroup_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${networkSecurityGroup.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: networkSecurityGroup @@ -150,7 +150,7 @@ resource networkSecurityGroup_diagnosticSettings 'Microsoft.Insights/diagnosticS scope: networkSecurityGroup } -module networkSecurityGroup_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module networkSecurityGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-NSG-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/networkSecurityGroups/readme.md b/arm/Microsoft.Network/networkSecurityGroups/readme.md index 4d0292d14e..dda7040269 100644 --- a/arm/Microsoft.Network/networkSecurityGroups/readme.md +++ b/arm/Microsoft.Network/networkSecurityGroups/readme.md @@ -38,7 +38,7 @@ This template deploys a network security group (NSG) with optional security rule | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `securityRules` | _[securityRules](securityRules/readme.md)_ array | `[]` | | Array of Security Rules to deploy to the Network Security Group. When not provided, an NSG including only the built-in roles will be deployed. | | `tags` | object | `{object}` | | Tags of the NSG resource. | @@ -205,9 +205,6 @@ module networkSecurityGroups './Microsoft.Network/networkSecurityGroups/deploy.b "name": { "value": "<>-az-nsg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "securityRules": { "value": [ { @@ -315,7 +312,6 @@ module networkSecurityGroups './Microsoft.Network/networkSecurityGroups/deploy.b name: '${uniqueString(deployment().name)}-networkSecurityGroups' params: { name: '<>-az-nsg-x-001' - lock: 'CanNotDelete' securityRules: [ { name: 'Specific' diff --git a/arm/Microsoft.Network/networkWatchers/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/networkWatchers/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/networkWatchers/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/networkWatchers/.bicep/nested_rbac.bicep index e958197039..0f1f0c8c8c 100644 --- a/arm/Microsoft.Network/networkWatchers/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/networkWatchers/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: networkWatcher }] diff --git a/arm/Microsoft.Network/networkWatchers/deploy.bicep b/arm/Microsoft.Network/networkWatchers/deploy.bicep index ae61cc3fd3..4b6d5bcb6c 100644 --- a/arm/Microsoft.Network/networkWatchers/deploy.bicep +++ b/arm/Microsoft.Network/networkWatchers/deploy.bicep @@ -12,12 +12,12 @@ param connectionMonitors array = [] param flowLogs array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -28,7 +28,7 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -49,16 +49,16 @@ resource networkWatcher 'Microsoft.Network/networkWatchers@2021-05-01' = { properties: {} } -resource networkWatcher_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource networkWatcher_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${networkWatcher.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: networkWatcher } -module networkWatcher_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module networkWatcher_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-NW-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -78,7 +78,7 @@ module networkWatcher_connectionMonitors 'connectionMonitors/deploy.bicep' = [fo testConfigurations: contains(connectionMonitor, 'testConfigurations') ? connectionMonitor.testConfigurations : [] testGroups: contains(connectionMonitor, 'testGroups') ? connectionMonitor.testGroups : [] workspaceResourceId: contains(connectionMonitor, 'workspaceResourceId') ? connectionMonitor.workspaceResourceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -95,7 +95,7 @@ module networkWatcher_flowLogs 'flowLogs/deploy.bicep' = [for (flowLog, index) i targetResourceId: flowLog.targetResourceId trafficAnalyticsInterval: contains(flowLog, 'trafficAnalyticsInterval') ? flowLog.trafficAnalyticsInterval : 60 workspaceResourceId: contains(flowLog, 'workspaceResourceId') ? flowLog.workspaceResourceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.Network/networkWatchers/readme.md b/arm/Microsoft.Network/networkWatchers/readme.md index 195e1d50ec..8912f4a31d 100644 --- a/arm/Microsoft.Network/networkWatchers/readme.md +++ b/arm/Microsoft.Network/networkWatchers/readme.md @@ -33,7 +33,7 @@ This template deploys a network watcher. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `flowLogs` | _[flowLogs](flowLogs/readme.md)_ array | `[]` | | Array that contains the Flow Logs. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | diff --git a/arm/Microsoft.Network/privateDnsZones/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/privateDnsZones/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep index b75bab676a..42965b6e8f 100644 --- a/arm/Microsoft.Network/privateDnsZones/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: privateDnsZone }] diff --git a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json index 8b3662c1ee..88c41e929e 100644 --- a/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-privdns-x-002.com" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { diff --git a/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep index e7c72f0a22..27757a54bc 100644 --- a/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateDnsZones/A/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: A }] diff --git a/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep index 49e6309abf..3c88b840e1 100644 --- a/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/A/deploy.bicep @@ -45,7 +45,7 @@ resource A 'Microsoft.Network/privateDnsZones/A@2020-06-01' = { } } -module A_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module A_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-PDNSA-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep index 4c1d7a8055..0548759242 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: AAAA }] diff --git a/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep index 4d31d07420..29c7a66879 100644 --- a/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/AAAA/deploy.bicep @@ -45,7 +45,7 @@ resource AAAA 'Microsoft.Network/privateDnsZones/AAAA@2020-06-01' = { } } -module AAAA_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module AAAA_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-PDNSAAAA-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep index f35b9ecb27..bba87eeb4b 100644 --- a/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: CNAME }] diff --git a/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep index 230320b6dc..de45e6d935 100644 --- a/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/CNAME/deploy.bicep @@ -45,7 +45,7 @@ resource CNAME 'Microsoft.Network/privateDnsZones/CNAME@2020-06-01' = { } } -module CNAME_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module CNAME_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-PDNSCNAME-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep index ba3a2d0b69..a913df5f4b 100644 --- a/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateDnsZones/MX/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: MX }] diff --git a/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep index 7bd01356fb..3e182064f0 100644 --- a/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/MX/deploy.bicep @@ -45,7 +45,7 @@ resource MX 'Microsoft.Network/privateDnsZones/MX@2020-06-01' = { } } -module MX_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module MX_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-PDNSMX-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep index 1b57ee386f..e2b79c018a 100644 --- a/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateDnsZones/PTR/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: PTR }] diff --git a/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep index 4d83d996ba..cbc32f2f90 100644 --- a/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/PTR/deploy.bicep @@ -31,7 +31,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -module PTR_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module PTR_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-PDNSPTR-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep index 9181915040..e235c344b4 100644 --- a/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateDnsZones/SOA/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: SOA }] diff --git a/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep index 256047114d..3bbb21a150 100644 --- a/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/SOA/deploy.bicep @@ -45,7 +45,7 @@ resource SOA 'Microsoft.Network/privateDnsZones/SOA@2020-06-01' = { } } -module SOA_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module SOA_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-PDNSSOA-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep index f77b4b0736..71e7f0f6fa 100644 --- a/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateDnsZones/SRV/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: SRV }] diff --git a/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep index d15b8b6a32..d17d2468bf 100644 --- a/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/SRV/deploy.bicep @@ -45,7 +45,7 @@ resource SRV 'Microsoft.Network/privateDnsZones/SRV@2020-06-01' = { } } -module SRV_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module SRV_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-PDNSSRV-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep index 8635e9dd44..4f617429da 100644 --- a/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateDnsZones/TXT/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: TXT }] diff --git a/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep index e718bdbcdb..f4b71e4bb0 100644 --- a/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/TXT/deploy.bicep @@ -45,7 +45,7 @@ resource TXT 'Microsoft.Network/privateDnsZones/TXT@2020-06-01' = { } } -module TXT_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module TXT_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-PDNSTXT-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateDnsZones/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/deploy.bicep index 4215fe8ae3..8bd8c22e85 100644 --- a/arm/Microsoft.Network/privateDnsZones/deploy.bicep +++ b/arm/Microsoft.Network/privateDnsZones/deploy.bicep @@ -38,17 +38,17 @@ param roleAssignments array = [] param tags object = {} @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -77,7 +77,7 @@ module privateDnsZone_A 'A/deploy.bicep' = [for (aRecord, index) in a: { metadata: contains(aRecord, 'metadata') ? aRecord.metadata : {} ttl: contains(aRecord, 'ttl') ? aRecord.ttl : 3600 roleAssignments: contains(aRecord, 'roleAssignments') ? aRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -90,7 +90,7 @@ module privateDnsZone_AAAA 'AAAA/deploy.bicep' = [for (aaaaRecord, index) in aaa metadata: contains(aaaaRecord, 'metadata') ? aaaaRecord.metadata : {} ttl: contains(aaaaRecord, 'ttl') ? aaaaRecord.ttl : 3600 roleAssignments: contains(aaaaRecord, 'roleAssignments') ? aaaaRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -103,7 +103,7 @@ module privateDnsZone_CNAME 'CNAME/deploy.bicep' = [for (cnameRecord, index) in metadata: contains(cnameRecord, 'metadata') ? cnameRecord.metadata : {} ttl: contains(cnameRecord, 'ttl') ? cnameRecord.ttl : 3600 roleAssignments: contains(cnameRecord, 'roleAssignments') ? cnameRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -116,7 +116,7 @@ module privateDnsZone_MX 'MX/deploy.bicep' = [for (mxRecord, index) in mx: { mxRecords: contains(mxRecord, 'mxRecords') ? mxRecord.mxRecords : [] ttl: contains(mxRecord, 'ttl') ? mxRecord.ttl : 3600 roleAssignments: contains(mxRecord, 'roleAssignments') ? mxRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -129,7 +129,7 @@ module privateDnsZone_PTR 'PTR/deploy.bicep' = [for (ptrRecord, index) in ptr: { ptrRecords: contains(ptrRecord, 'ptrRecords') ? ptrRecord.ptrRecords : [] ttl: contains(ptrRecord, 'ttl') ? ptrRecord.ttl : 3600 roleAssignments: contains(ptrRecord, 'roleAssignments') ? ptrRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -142,7 +142,7 @@ module privateDnsZone_SOA 'SOA/deploy.bicep' = [for (soaRecord, index) in soa: { soaRecord: contains(soaRecord, 'soaRecord') ? soaRecord.soaRecord : {} ttl: contains(soaRecord, 'ttl') ? soaRecord.ttl : 3600 roleAssignments: contains(soaRecord, 'roleAssignments') ? soaRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -155,7 +155,7 @@ module privateDnsZone_SRV 'SRV/deploy.bicep' = [for (srvRecord, index) in srv: { srvRecords: contains(srvRecord, 'srvRecords') ? srvRecord.srvRecords : [] ttl: contains(srvRecord, 'ttl') ? srvRecord.ttl : 3600 roleAssignments: contains(srvRecord, 'roleAssignments') ? srvRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -168,7 +168,7 @@ module privateDnsZone_TXT 'TXT/deploy.bicep' = [for (txtRecord, index) in txt: { txtRecords: contains(txtRecord, 'txtRecords') ? txtRecord.txtRecords : [] ttl: contains(txtRecord, 'ttl') ? txtRecord.ttl : 3600 roleAssignments: contains(txtRecord, 'roleAssignments') ? txtRecord.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -181,20 +181,20 @@ module privateDnsZone_virtualNetworkLinks 'virtualNetworkLinks/deploy.bicep' = [ location: contains(virtualNetworkLink, 'location') ? virtualNetworkLink.location : 'global' registrationEnabled: contains(virtualNetworkLink, 'registrationEnabled') ? virtualNetworkLink.registrationEnabled : false tags: contains(virtualNetworkLink, 'tags') ? virtualNetworkLink.tags : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource privateDnsZone_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource privateDnsZone_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${privateDnsZone.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: privateDnsZone } -module privateDnsZone_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module privateDnsZone_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-PrivateDnsZone-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateDnsZones/readme.md b/arm/Microsoft.Network/privateDnsZones/readme.md index fd31651fbf..4ee64796da 100644 --- a/arm/Microsoft.Network/privateDnsZones/readme.md +++ b/arm/Microsoft.Network/privateDnsZones/readme.md @@ -41,7 +41,7 @@ This template deploys a private DNS zone. | `cname` | _[cname](cname/readme.md)_ array | `[]` | | Array of CNAME records. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `'global'` | | The location of the PrivateDNSZone. Should be global. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `mx` | _[mx](mx/readme.md)_ array | `[]` | | Array of MX records. | | `ptr` | _[ptr](ptr/readme.md)_ array | `[]` | | Array of PTR records. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -213,9 +213,6 @@ module privateDnsZones './Microsoft.Network/privateDnsZones/deploy.bicep' = { "name": { "value": "<>-az-privdns-x-002.com" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { @@ -418,7 +415,6 @@ module privateDnsZones './Microsoft.Network/privateDnsZones/deploy.bicep' = { name: '${uniqueString(deployment().name)}-privateDnsZones' params: { name: '<>-az-privdns-x-002.com' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/arm/Microsoft.Network/privateEndpoints/.bicep/nested_pid.bicep b/arm/Microsoft.Network/privateEndpoints/.bicep/nested_pid.bicep new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/arm/Microsoft.Network/privateEndpoints/.bicep/nested_pid.bicep @@ -0,0 +1 @@ + diff --git a/arm/Microsoft.Network/privateEndpoints/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/privateEndpoints/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/privateEndpoints/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/privateEndpoints/.bicep/nested_rbac.bicep index a6cc5bf005..ed765219e6 100644 --- a/arm/Microsoft.Network/privateEndpoints/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/privateEndpoints/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: privateEndpoint }] diff --git a/arm/Microsoft.Network/privateEndpoints/.parameters/min.parameters.json b/arm/Microsoft.Network/privateEndpoints/.parameters/min.parameters.json index aa3ea8eba2..bfe13c34ed 100644 --- a/arm/Microsoft.Network/privateEndpoints/.parameters/min.parameters.json +++ b/arm/Microsoft.Network/privateEndpoints/.parameters/min.parameters.json @@ -5,13 +5,13 @@ "name": { "value": "<>-az-pe-kvlt-min-001" }, - "subnetResourceId": { + "targetSubnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" }, "serviceResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" }, - "groupIds": { + "groupId": { "value": [ "vault" ] diff --git a/arm/Microsoft.Network/privateEndpoints/.parameters/parameters.json b/arm/Microsoft.Network/privateEndpoints/.parameters/parameters.json index eff507a0b2..5b5f6f17bb 100644 --- a/arm/Microsoft.Network/privateEndpoints/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateEndpoints/.parameters/parameters.json @@ -5,16 +5,13 @@ "name": { "value": "<>-az-pe-kvlt-001" }, - "lock": { - "value": "CanNotDelete" - }, - "subnetResourceId": { + "targetSubnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" }, "serviceResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" }, - "groupIds": { + "groupId": { "value": [ "vault" ] diff --git a/arm/Microsoft.Network/privateEndpoints/deploy.bicep b/arm/Microsoft.Network/privateEndpoints/deploy.bicep index 3ffdeae2d6..9ef96fdd1c 100644 --- a/arm/Microsoft.Network/privateEndpoints/deploy.bicep +++ b/arm/Microsoft.Network/privateEndpoints/deploy.bicep @@ -2,13 +2,13 @@ param name string @description('Required. Resource ID of the subnet where the endpoint needs to be created.') -param subnetResourceId string +param targetSubnetResourceId string @description('Required. Resource ID of the resource that needs to be connected to the network.') param serviceResourceId string @description('Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to.') -param groupIds array +param groupId array @description('Optional. Array of Private DNS zone groups configuration on the private endpoint.') param privateDnsZoneGroups array = [] @@ -17,12 +17,12 @@ param privateDnsZoneGroups array = [] param location string = resourceGroup().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -30,16 +30,10 @@ param roleAssignments array = [] @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') param tags object = {} -@description('Optional. Custom DNS configurations.') -param customDnsConfigs array = [] - -@description('Optional. Manual PrivateLink Service Connections.') -param manualPrivateLinkServiceConnections array = [] - @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -63,15 +57,15 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: name properties: { privateLinkServiceId: serviceResourceId - groupIds: groupIds + groupIds: groupId } } ] - manualPrivateLinkServiceConnections: manualPrivateLinkServiceConnections + manualPrivateLinkServiceConnections: [] subnet: { - id: subnetResourceId + id: targetSubnetResourceId } - customDnsConfigs: customDnsConfigs + customDnsConfigs: [] } } @@ -80,20 +74,20 @@ module privateEndpoint_privateDnsZoneGroups 'privateDnsZoneGroups/deploy.bicep' params: { privateDNSResourceIds: privateDnsZoneGroup.privateDNSResourceIds privateEndpointName: privateEndpoint.name - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource privateEndpoint_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource privateEndpoint_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${privateEndpoint.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: privateEndpoint } -module privateEndpoint_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module privateEndpoint_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/privateEndpoints/privateDnsZoneGroups/deploy.bicep b/arm/Microsoft.Network/privateEndpoints/privateDnsZoneGroups/deploy.bicep index 46e9dd21b9..db01f717a2 100644 --- a/arm/Microsoft.Network/privateEndpoints/privateDnsZoneGroups/deploy.bicep +++ b/arm/Microsoft.Network/privateEndpoints/privateDnsZoneGroups/deploy.bicep @@ -23,7 +23,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } var privateDnsZoneConfigs = [for privateDNSResourceId in privateDNSResourceIds: { - name: last(split(privateDNSResourceId, '/')) + name: privateEndpointName properties: { privateDnsZoneId: privateDNSResourceId } diff --git a/arm/Microsoft.Network/privateEndpoints/readme.md b/arm/Microsoft.Network/privateEndpoints/readme.md index 0fcdd76087..143e67d985 100644 --- a/arm/Microsoft.Network/privateEndpoints/readme.md +++ b/arm/Microsoft.Network/privateEndpoints/readme.md @@ -33,19 +33,17 @@ The following resources are required to be able to deploy this resource: **Required parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `groupIds` | array | Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. | +| `groupId` | array | Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. | | `name` | string | Name of the private endpoint resource to create. | | `serviceResourceId` | string | Resource ID of the resource that needs to be connected to the network. | -| `subnetResourceId` | string | Resource ID of the subnet where the endpoint needs to be created. | +| `targetSubnetResourceId` | string | Resource ID of the subnet where the endpoint needs to be created. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `customDnsConfigs` | array | `[]` | | Custom DNS configurations. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `manualPrivateLinkServiceConnections` | array | `[]` | | Manual PrivateLink Service Connections. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateDnsZoneGroups` | _[privateDnsZoneGroups](privateDnsZoneGroups/readme.md)_ array | `[]` | | Array of Private DNS zone groups configuration on the private endpoint. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags to be applied on all resources/resource groups in this deployment. | @@ -176,13 +174,13 @@ roleAssignments: [ "name": { "value": "<>-az-pe-kvlt-min-001" }, - "subnetResourceId": { + "targetSubnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" }, "serviceResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" }, - "groupIds": { + "groupId": { "value": [ "vault" ] @@ -203,9 +201,9 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { name: '${uniqueString(deployment().name)}-privateEndpoints' params: { name: '<>-az-pe-kvlt-min-001' - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + targetSubnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' serviceResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe' - groupIds: [ + groupId: [ 'vault' ] } @@ -228,16 +226,13 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { "name": { "value": "<>-az-pe-kvlt-001" }, - "lock": { - "value": "CanNotDelete" - }, - "subnetResourceId": { + "targetSubnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" }, "serviceResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" }, - "groupIds": { + "groupId": { "value": [ "vault" ] @@ -277,10 +272,9 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { name: '${uniqueString(deployment().name)}-privateEndpoints' params: { name: '<>-az-pe-kvlt-001' - lock: 'CanNotDelete' - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + targetSubnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' serviceResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe' - groupIds: [ + groupId: [ 'vault' ] privateDnsZoneGroups: [ diff --git a/arm/Microsoft.Network/publicIPAddresses/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/publicIPAddresses/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/publicIPAddresses/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/publicIPAddresses/.bicep/nested_rbac.bicep index 4a612c4c1a..df56b2d735 100644 --- a/arm/Microsoft.Network/publicIPAddresses/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/publicIPAddresses/.bicep/nested_rbac.bicep @@ -53,7 +53,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: publicIpAddress }] diff --git a/arm/Microsoft.Network/publicIPAddresses/.parameters/parameters.json b/arm/Microsoft.Network/publicIPAddresses/.parameters/parameters.json index 9a95bc279f..1e12e533b7 100644 --- a/arm/Microsoft.Network/publicIPAddresses/.parameters/parameters.json +++ b/arm/Microsoft.Network/publicIPAddresses/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-pip-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "skuName": { "value": "Standard" }, diff --git a/arm/Microsoft.Network/publicIPAddresses/deploy.bicep b/arm/Microsoft.Network/publicIPAddresses/deploy.bicep index ed246c9e81..031eded83e 100644 --- a/arm/Microsoft.Network/publicIPAddresses/deploy.bicep +++ b/arm/Microsoft.Network/publicIPAddresses/deploy.bicep @@ -53,12 +53,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Location for all resources.') param location string = resourceGroup().location @@ -148,10 +148,10 @@ resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' = { } } -resource publicIpAddress_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource publicIpAddress_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${publicIpAddress.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: publicIpAddress @@ -170,7 +170,7 @@ resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticSettin scope: publicIpAddress } -module publicIpAddress_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module publicIpAddress_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-PIPAddress-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/publicIPAddresses/readme.md b/arm/Microsoft.Network/publicIPAddresses/readme.md index 4071550bad..63cc43a661 100644 --- a/arm/Microsoft.Network/publicIPAddresses/readme.md +++ b/arm/Microsoft.Network/publicIPAddresses/readme.md @@ -36,7 +36,7 @@ | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `publicIPAddressVersion` | string | `'IPv4'` | `[IPv4, IPv6]` | IP address version. | | `publicIPAllocationMethod` | string | `'Dynamic'` | `[Dynamic, Static]` | The public IP address allocation method. | | `publicIPPrefixResourceId` | string | `''` | | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | @@ -173,9 +173,6 @@ roleAssignments: [ "name": { "value": "<>-az-pip-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "skuName": { "value": "Standard" }, @@ -230,7 +227,6 @@ module publicIPAddresses './Microsoft.Network/publicIPAddresses/deploy.bicep' = name: '${uniqueString(deployment().name)}-publicIPAddresses' params: { name: '<>-az-pip-x-001' - lock: 'CanNotDelete' skuName: 'Standard' publicIPAllocationMethod: 'Static' zones: [ diff --git a/arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_rbac.bicep index dc6c41bb2e..7e0f74ca62 100644 --- a/arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/publicIPPrefixes/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: publicIpPrefix }] diff --git a/arm/Microsoft.Network/publicIPPrefixes/.parameters/parameters.json b/arm/Microsoft.Network/publicIPPrefixes/.parameters/parameters.json index 4367694850..5b4074820c 100644 --- a/arm/Microsoft.Network/publicIPPrefixes/.parameters/parameters.json +++ b/arm/Microsoft.Network/publicIPPrefixes/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-pippfx-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "prefixLength": { "value": 28 }, diff --git a/arm/Microsoft.Network/publicIPPrefixes/deploy.bicep b/arm/Microsoft.Network/publicIPPrefixes/deploy.bicep index b9a7b6dfc0..0af3d87a67 100644 --- a/arm/Microsoft.Network/publicIPPrefixes/deploy.bicep +++ b/arm/Microsoft.Network/publicIPPrefixes/deploy.bicep @@ -11,12 +11,12 @@ param location string = resourceGroup().location param prefixLength int @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -52,16 +52,16 @@ resource publicIpPrefix 'Microsoft.Network/publicIPPrefixes@2021-05-01' = { } } -resource publicIpPrefix_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource publicIpPrefix_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${publicIpPrefix.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: publicIpPrefix } -module publicIpPrefix_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module publicIpPrefix_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-PIPPrefix-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/publicIPPrefixes/readme.md b/arm/Microsoft.Network/publicIPPrefixes/readme.md index 04a5a2974f..1499d6e476 100644 --- a/arm/Microsoft.Network/publicIPPrefixes/readme.md +++ b/arm/Microsoft.Network/publicIPPrefixes/readme.md @@ -30,7 +30,7 @@ This template deploys a public IP prefix. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -160,9 +160,6 @@ tags: { "name": { "value": "<>-az-pippfx-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "prefixLength": { "value": 28 }, @@ -192,7 +189,6 @@ module publicIPPrefixes './Microsoft.Network/publicIPPrefixes/deploy.bicep' = { name: '${uniqueString(deployment().name)}-publicIPPrefixes' params: { name: '<>-az-pippfx-x-001' - lock: 'CanNotDelete' prefixLength: 28 roleAssignments: [ { diff --git a/arm/Microsoft.Network/routeTables/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/routeTables/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/routeTables/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/routeTables/.bicep/nested_rbac.bicep index 0d6e78fcec..f9f82a3bea 100644 --- a/arm/Microsoft.Network/routeTables/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/routeTables/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: routeTable }] diff --git a/arm/Microsoft.Network/routeTables/.parameters/parameters.json b/arm/Microsoft.Network/routeTables/.parameters/parameters.json index 65fa5d2d91..edd5dba921 100644 --- a/arm/Microsoft.Network/routeTables/.parameters/parameters.json +++ b/arm/Microsoft.Network/routeTables/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-udr-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "routes": { "value": [ { diff --git a/arm/Microsoft.Network/routeTables/deploy.bicep b/arm/Microsoft.Network/routeTables/deploy.bicep index feda9c9f10..3f493639de 100644 --- a/arm/Microsoft.Network/routeTables/deploy.bicep +++ b/arm/Microsoft.Network/routeTables/deploy.bicep @@ -11,12 +11,12 @@ param routes array = [] param disableBgpRoutePropagation bool = false @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -49,16 +49,16 @@ resource routeTable 'Microsoft.Network/routeTables@2021-05-01' = { } } -resource routeTable_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource routeTable_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${routeTable.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: routeTable } -module routeTable_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module routeTable_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-RouteTable-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/routeTables/readme.md b/arm/Microsoft.Network/routeTables/readme.md index e802ebfbff..d6434b21c2 100644 --- a/arm/Microsoft.Network/routeTables/readme.md +++ b/arm/Microsoft.Network/routeTables/readme.md @@ -30,7 +30,7 @@ This module deploys a user defined route table. | `disableBgpRoutePropagation` | bool | `False` | | Switch to disable BGP route propagation. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `routes` | array | `[]` | | An Array of Routes to be established within the hub route table. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -250,9 +250,6 @@ tags: { "name": { "value": "<>-az-udr-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "routes": { "value": [ { @@ -291,7 +288,6 @@ module routeTables './Microsoft.Network/routeTables/deploy.bicep' = { name: '${uniqueString(deployment().name)}-routeTables' params: { name: '<>-az-udr-x-001' - lock: 'CanNotDelete' routes: [ { name: 'default' diff --git a/arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_rbac.bicep index 10e6217855..aada1d8ad7 100644 --- a/arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/trafficmanagerprofiles/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: trafficmanagerprofile }] diff --git a/arm/Microsoft.Network/trafficmanagerprofiles/.parameters/parameters.json b/arm/Microsoft.Network/trafficmanagerprofiles/.parameters/parameters.json index 220f646c39..fd3469ed6d 100644 --- a/arm/Microsoft.Network/trafficmanagerprofiles/.parameters/parameters.json +++ b/arm/Microsoft.Network/trafficmanagerprofiles/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "tm-000001" }, - "lock": { - "value": "CanNotDelete" - }, "relativeName": { "value": "tm-000001" }, diff --git a/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep b/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep index 5edd17fc73..3266752d2d 100644 --- a/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep +++ b/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep @@ -64,12 +64,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -148,10 +148,10 @@ resource trafficManagerProfile 'Microsoft.Network/trafficmanagerprofiles@2018-08 } } -resource trafficManagerProfile_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource trafficManagerProfile_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${trafficManagerProfile.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: trafficManagerProfile @@ -170,7 +170,7 @@ resource trafficManagerProfile_diagnosticSettings 'Microsoft.Insights/diagnostic scope: trafficManagerProfile } -module trafficManagerProfile_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module trafficManagerProfile_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name)}-TrafficManagerProfile-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -181,11 +181,11 @@ module trafficManagerProfile_rbac '.bicep/nested_roleAssignments.bicep' = [for ( } }] -@description('The resource ID of the traffic manager.') +@description('The resource ID of the traffix manager.') output resourceId string = trafficManagerProfile.id -@description('The resource group the traffic manager was deployed into.') +@description('The resource group the traffix manager was deployed into.') output resourceGroupName string = resourceGroup().name -@description('The name of the traffic manager was deployed into.') +@description('The name of the traffix manager was deployed into.') output name string = trafficManagerProfile.name diff --git a/arm/Microsoft.Network/trafficmanagerprofiles/readme.md b/arm/Microsoft.Network/trafficmanagerprofiles/readme.md index 01dd0ba93b..3fe55b13cf 100644 --- a/arm/Microsoft.Network/trafficmanagerprofiles/readme.md +++ b/arm/Microsoft.Network/trafficmanagerprofiles/readme.md @@ -39,7 +39,7 @@ This module deploys a traffic manager profile. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `endpoints` | array | `[]` | | The list of endpoints in the Traffic Manager profile. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maxReturn` | int | `1` | | Maximum number of endpoints to be returned for MultiValue routing type. | | `monitorConfig` | object | `{object}` | | The endpoint monitoring settings of the Traffic Manager profile. | | `profileStatus` | string | `'Enabled'` | `[Enabled, Disabled]` | The status of the Traffic Manager profile. | @@ -244,9 +244,9 @@ tags: { | Output Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the traffic manager was deployed into. | -| `resourceGroupName` | string | The resource group the traffic manager was deployed into. | -| `resourceId` | string | The resource ID of the traffic manager. | +| `name` | string | The name of the traffix manager was deployed into. | +| `resourceGroupName` | string | The resource group the traffix manager was deployed into. | +| `resourceId` | string | The resource ID of the traffix manager. | ## Deployment examples @@ -264,9 +264,6 @@ tags: { "name": { "value": "tm-000001" }, - "lock": { - "value": "CanNotDelete" - }, "relativeName": { "value": "tm-000001" }, @@ -311,7 +308,6 @@ module trafficmanagerprofiles './Microsoft.Network/trafficmanagerprofiles/deploy name: '${uniqueString(deployment().name)}-trafficmanagerprofiles' params: { name: 'tm-000001' - lock: 'CanNotDelete' relativeName: 'tm-000001' roleAssignments: [ { diff --git a/arm/Microsoft.Network/virtualHubs/.parameters/parameters.json b/arm/Microsoft.Network/virtualHubs/.parameters/parameters.json index 2660f1be93..ed856582ad 100644 --- a/arm/Microsoft.Network/virtualHubs/.parameters/parameters.json +++ b/arm/Microsoft.Network/virtualHubs/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-vhub-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "addressPrefix": { "value": "10.1.0.0/16" }, diff --git a/arm/Microsoft.Network/virtualHubs/deploy.bicep b/arm/Microsoft.Network/virtualHubs/deploy.bicep index 3db423a785..ce0d814740 100644 --- a/arm/Microsoft.Network/virtualHubs/deploy.bicep +++ b/arm/Microsoft.Network/virtualHubs/deploy.bicep @@ -69,17 +69,17 @@ param hubRouteTables array = [] param hubVirtualNetworkConnections array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -130,10 +130,10 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2021-05-01' = { } } -resource virtualHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource virtualHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${virtualHub.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: virtualHub @@ -146,7 +146,7 @@ module virtualHub_routeTables 'hubRouteTables/deploy.bicep' = [for (routeTable, name: routeTable.name labels: contains(routeTable, 'labels') ? routeTable.labels : [] routes: contains(routeTable, 'routes') ? routeTable.routes : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -158,7 +158,7 @@ module virtualHub_hubVirtualNetworkConnections 'hubVirtualNetworkConnections/dep enableInternetSecurity: contains(virtualNetworkConnection, 'enableInternetSecurity') ? virtualNetworkConnection.enableInternetSecurity : true remoteVirtualNetworkId: virtualNetworkConnection.remoteVirtualNetworkId routingConfiguration: contains(virtualNetworkConnection, 'routingConfiguration') ? virtualNetworkConnection.routingConfiguration : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ virtualHub_routeTables diff --git a/arm/Microsoft.Network/virtualHubs/readme.md b/arm/Microsoft.Network/virtualHubs/readme.md index f6469cec2b..698c5fa9f7 100644 --- a/arm/Microsoft.Network/virtualHubs/readme.md +++ b/arm/Microsoft.Network/virtualHubs/readme.md @@ -37,7 +37,7 @@ This module deploys a Virtual Hub. | `hubRouteTables` | _[hubRouteTables](hubRouteTables/readme.md)_ array | `[]` | | Route tables to create for the virtual hub. | | `hubVirtualNetworkConnections` | _[hubVirtualNetworkConnections](hubVirtualNetworkConnections/readme.md)_ array | `[]` | | Virtual network connections to create for the virtual hub. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `p2SVpnGatewayId` | string | `''` | | Resource ID of the Point-to-Site VPN Gateway to link to. | | `preferredRoutingGateway` | string | `''` | `[ExpressRoute, None, VpnGateway, ]` | The preferred routing gateway types. | | `routeTableRoutes` | array | `[]` | | VirtualHub route tables. | @@ -161,9 +161,6 @@ module virtualHubs './Microsoft.Network/virtualHubs/deploy.bicep' = { "name": { "value": "<>-az-vhub-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "addressPrefix": { "value": "10.1.0.0/16" }, @@ -216,7 +213,6 @@ module virtualHubs './Microsoft.Network/virtualHubs/deploy.bicep' = { name: '${uniqueString(deployment().name)}-virtualHubs' params: { name: '<>-az-vhub-x-001' - lock: 'CanNotDelete' addressPrefix: '10.1.0.0/16' virtualWanId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualWans/adp-<>-az-vw-x-001' hubRouteTables: [ diff --git a/arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_rbac.bicep index b9a18dde5a..918fd58511 100644 --- a/arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/virtualNetworkGateways/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: virtualNetworkGateway }] diff --git a/arm/Microsoft.Network/virtualNetworkGateways/.parameters/vpn.parameters.json b/arm/Microsoft.Network/virtualNetworkGateways/.parameters/vpn.parameters.json index cf037dc7e9..8699d145eb 100644 --- a/arm/Microsoft.Network/virtualNetworkGateways/.parameters/vpn.parameters.json +++ b/arm/Microsoft.Network/virtualNetworkGateways/.parameters/vpn.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-gw-vpn-001" }, - "lock": { - "value": "CanNotDelete" - }, "domainNameLabel": { "value": [ "<>-az-gw-vpn-dm-001" diff --git a/arm/Microsoft.Network/virtualNetworkGateways/deploy.bicep b/arm/Microsoft.Network/virtualNetworkGateways/deploy.bicep index cf8b14368a..ca9369f1a2 100644 --- a/arm/Microsoft.Network/virtualNetworkGateways/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworkGateways/deploy.bicep @@ -93,12 +93,12 @@ param diagnosticEventHubName string = '' param roleAssignments array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -312,10 +312,10 @@ resource virtualGatewayPublicIP 'Microsoft.Network/publicIPAddresses@2021-05-01' }] @batchSize(1) -resource virtualGatewayPublicIP_lock 'Microsoft.Authorization/locks@2017-04-01' = [for (virtualGatewayPublicIpName, index) in virtualGatewayPipName_var: if (!empty(lock)) { +resource virtualGatewayPublicIP_lock 'Microsoft.Authorization/locks@2017-04-01' = [for (virtualGatewayPublicIpName, index) in virtualGatewayPipName_var: if (lock != 'NotSpecified') { name: '${virtualGatewayPublicIpName}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: virtualGatewayPublicIP[index] @@ -359,10 +359,10 @@ resource virtualNetworkGateway 'Microsoft.Network/virtualNetworkGateways@2021-05 ] } -resource virtualNetworkGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource virtualNetworkGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${virtualNetworkGateway.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: virtualNetworkGateway @@ -381,7 +381,7 @@ resource virtualNetworkGateway_diagnosticSettings 'Microsoft.Insights/diagnostic scope: virtualNetworkGateway } -module virtualNetworkGateway_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module virtualNetworkGateway_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-VNetGateway-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/virtualNetworkGateways/readme.md b/arm/Microsoft.Network/virtualNetworkGateways/readme.md index f29a1710d9..99d6946d8b 100644 --- a/arm/Microsoft.Network/virtualNetworkGateways/readme.md +++ b/arm/Microsoft.Network/virtualNetworkGateways/readme.md @@ -49,7 +49,7 @@ This module deploys a virtual network gateway. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `gatewayPipName` | string | `[format('{0}-pip1', parameters('name'))]` | | Specifies the name of the Public IP used by the Virtual Network Gateway. If it's not provided, a '-pip' suffix will be appended to the gateway's name. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `publicIpdiagnosticLogCategoriesToEnable` | array | `[DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports]` | `[DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports]` | The name of logs that will be streamed. | | `publicIpDiagnosticSettingsName` | string | `'diagnosticSettings'` | | The name of the diagnostic setting, if deployed. | | `publicIPPrefixResourceId` | string | `''` | | Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix. | @@ -370,9 +370,6 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy "name": { "value": "<>-az-gw-vpn-001" }, - "lock": { - "value": "CanNotDelete" - }, "domainNameLabel": { "value": [ "<>-az-gw-vpn-dm-001" @@ -439,7 +436,6 @@ module virtualNetworkGateways './Microsoft.Network/virtualNetworkGateways/deploy name: '${uniqueString(deployment().name)}-virtualNetworkGateways' params: { name: '<>-az-gw-vpn-001' - lock: 'CanNotDelete' domainNameLabel: [ '<>-az-gw-vpn-dm-001' ] diff --git a/arm/Microsoft.Network/virtualNetworks/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/virtualNetworks/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/virtualNetworks/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/virtualNetworks/.bicep/nested_rbac.bicep index ed41068198..8bbe8f105d 100644 --- a/arm/Microsoft.Network/virtualNetworks/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/virtualNetworks/.bicep/nested_rbac.bicep @@ -64,7 +64,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: virtualNetwork }] diff --git a/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json b/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json index 6cb5292ceb..9c66aa5de6 100644 --- a/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json +++ b/arm/Microsoft.Network/virtualNetworks/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-vnet-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "addressPrefixes": { "value": [ "10.0.0.0/16" diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep index 94524b8b31..f01654b201 100644 --- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep @@ -37,12 +37,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -99,7 +99,7 @@ var ddosProtectionPlan = { id: ddosProtectionPlanId } -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -176,7 +176,7 @@ module virtualNetwork_subnets 'subnets/deploy.bicep' = [for (subnet, index) in s routeTableId: contains(subnet, 'routeTableId') ? subnet.routeTableId : '' serviceEndpointPolicies: contains(subnet, 'serviceEndpointPolicies') ? subnet.serviceEndpointPolicies : [] serviceEndpoints: contains(subnet, 'serviceEndpoints') ? subnet.serviceEndpoints : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -192,7 +192,7 @@ module virtualNetwork_peering_local 'virtualNetworkPeerings/deploy.bicep' = [for allowVirtualNetworkAccess: contains(peering, 'allowVirtualNetworkAccess') ? peering.allowVirtualNetworkAccess : true doNotVerifyRemoteGateways: contains(peering, 'doNotVerifyRemoteGateways') ? peering.doNotVerifyRemoteGateways : true useRemoteGateways: contains(peering, 'useRemoteGateways') ? peering.useRemoteGateways : false - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -209,14 +209,14 @@ module virtualNetwork_peering_remote 'virtualNetworkPeerings/deploy.bicep' = [fo allowVirtualNetworkAccess: contains(peering, 'remotePeeringAllowVirtualNetworkAccess') ? peering.remotePeeringAllowVirtualNetworkAccess : true doNotVerifyRemoteGateways: contains(peering, 'remotePeeringDoNotVerifyRemoteGateways') ? peering.remotePeeringDoNotVerifyRemoteGateways : true useRemoteGateways: contains(peering, 'remotePeeringUseRemoteGateways') ? peering.remotePeeringUseRemoteGateways : false - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource virtualNetwork_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource virtualNetwork_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${virtualNetwork.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: virtualNetwork @@ -235,7 +235,7 @@ resource virtualNetwork_diagnosticSettings 'Microsoft.Insights/diagnosticSetting scope: virtualNetwork } -module virtualNetwork_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module virtualNetwork_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-VNet-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/virtualNetworks/readme.md b/arm/Microsoft.Network/virtualNetworks/readme.md index a0e79eb257..9f6cd642ff 100644 --- a/arm/Microsoft.Network/virtualNetworks/readme.md +++ b/arm/Microsoft.Network/virtualNetworks/readme.md @@ -44,7 +44,7 @@ This template deploys a virtual network (vNet). | `dnsServers` | array | `[]` | | DNS Servers associated to the Virtual Network. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `subnets` | _[subnets](subnets/readme.md)_ array | `[]` | | An Array of subnets to deploy to the Virtual Network. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -406,9 +406,6 @@ module virtualNetworks './Microsoft.Network/virtualNetworks/deploy.bicep' = { "name": { "value": "<>-az-vnet-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "addressPrefixes": { "value": [ "10.0.0.0/16" @@ -509,7 +506,6 @@ module virtualNetworks './Microsoft.Network/virtualNetworks/deploy.bicep' = { name: '${uniqueString(deployment().name)}-virtualNetworks' params: { name: '<>-az-vnet-x-001' - lock: 'CanNotDelete' addressPrefixes: [ '10.0.0.0/16' ] diff --git a/arm/Microsoft.Network/virtualNetworks/subnets/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/virtualNetworks/subnets/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Network/virtualNetworks/subnets/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/virtualNetworks/subnets/.bicep/nested_rbac.bicep index 36751d8e3a..f701b0f002 100644 --- a/arm/Microsoft.Network/virtualNetworks/subnets/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/virtualNetworks/subnets/.bicep/nested_rbac.bicep @@ -64,7 +64,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: subnet }] diff --git a/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep index c894752a1d..fe0dda3d6c 100644 --- a/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworks/subnets/deploy.bicep @@ -97,8 +97,8 @@ resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' = { } } -module subnet_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, subnet.id)}-Subnet-Rbac-${index}' +module subnet_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name, resourceGroup().location)}-Subnet-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' principalIds: roleAssignment.principalIds diff --git a/arm/Microsoft.Network/virtualWans/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/virtualWans/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep index d5b4eb8c6b..2dd6381f03 100644 --- a/arm/Microsoft.Network/virtualWans/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: virtualWan }] diff --git a/arm/Microsoft.Network/virtualWans/.parameters/parameters.json b/arm/Microsoft.Network/virtualWans/.parameters/parameters.json index 15f8aa96f5..325af25252 100644 --- a/arm/Microsoft.Network/virtualWans/.parameters/parameters.json +++ b/arm/Microsoft.Network/virtualWans/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-vw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "type": { "value": "Basic" }, diff --git a/arm/Microsoft.Network/virtualWans/deploy.bicep b/arm/Microsoft.Network/virtualWans/deploy.bicep index 8543386fe3..ee927daf3c 100644 --- a/arm/Microsoft.Network/virtualWans/deploy.bicep +++ b/arm/Microsoft.Network/virtualWans/deploy.bicep @@ -30,12 +30,12 @@ param tags object = {} param enableDefaultTelemetry bool = true @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -61,16 +61,16 @@ resource virtualWan 'Microsoft.Network/virtualWans@2021-05-01' = { } } -resource virtualWan_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource virtualWan_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${virtualWan.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: virtualWan } -module virtualWan_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module virtualWan_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-VWan-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Network/virtualWans/readme.md b/arm/Microsoft.Network/virtualWans/readme.md index 5e43343b31..b784a244b9 100644 --- a/arm/Microsoft.Network/virtualWans/readme.md +++ b/arm/Microsoft.Network/virtualWans/readme.md @@ -32,7 +32,7 @@ This template deploys a virtual WAN. | `disableVpnEncryption` | bool | `False` | | VPN encryption to be disabled or not. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location where all resources will be created. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | | `type` | string | `'Standard'` | `[Standard, Basic]` | The type of the Virtual WAN. | @@ -199,9 +199,6 @@ module virtualWans './Microsoft.Network/virtualWans/deploy.bicep' = { "name": { "value": "<>-az-vw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "type": { "value": "Basic" }, @@ -240,7 +237,6 @@ module virtualWans './Microsoft.Network/virtualWans/deploy.bicep' = { name: '${uniqueString(deployment().name)}-virtualWans' params: { name: '<>-az-vw-x-001' - lock: 'CanNotDelete' type: 'Basic' allowBranchToBranchTraffic: true allowVnetToVnetTraffic: true diff --git a/arm/Microsoft.Network/vpnGateways/.parameters/parameters.json b/arm/Microsoft.Network/vpnGateways/.parameters/parameters.json index 620e1c6ff7..af4f1eca8f 100644 --- a/arm/Microsoft.Network/vpnGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/vpnGateways/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-vpngw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "virtualHubResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/<>-az-vhub-x-001" }, diff --git a/arm/Microsoft.Network/vpnGateways/deploy.bicep b/arm/Microsoft.Network/vpnGateways/deploy.bicep index 2efca6d541..9587e3d714 100644 --- a/arm/Microsoft.Network/vpnGateways/deploy.bicep +++ b/arm/Microsoft.Network/vpnGateways/deploy.bicep @@ -29,17 +29,17 @@ param vpnGatewayScaleUnit int = 2 param tags object = {} @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -68,10 +68,10 @@ resource vpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' = { } } -resource vpnGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource vpnGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${vpnGateway.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: vpnGateway @@ -87,7 +87,7 @@ module vpnGateway_natRules 'natRules/deploy.bicep' = [for (natRule, index) in na ipConfigurationId: contains(natRule, 'ipConfigurationId') ? natRule.ipConfigurationId : '' mode: contains(natRule, 'mode') ? natRule.mode : '' type: contains(natRule, 'type') ? natRule.type : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -107,7 +107,7 @@ module vpnGateway_connections 'connections/deploy.bicep' = [for (connection, ind useLocalAzureIpAddress: contains(connection, 'useLocalAzureIpAddress') ? connection.useLocalAzureIpAddress : false usePolicyBasedTrafficSelectors: contains(connection, 'usePolicyBasedTrafficSelectors') ? connection.usePolicyBasedTrafficSelectors : false vpnConnectionProtocolType: contains(connection, 'vpnConnectionProtocolType') ? connection.vpnConnectionProtocolType : 'IKEv2' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.Network/vpnGateways/readme.md b/arm/Microsoft.Network/vpnGateways/readme.md index 5580194a3c..2ad40aaf5d 100644 --- a/arm/Microsoft.Network/vpnGateways/readme.md +++ b/arm/Microsoft.Network/vpnGateways/readme.md @@ -35,7 +35,7 @@ This module deploys VPN Gateways. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `isRoutingPreferenceInternet` | bool | `False` | | Enable routing preference property for the public IP interface of the VPN gateway. | | `location` | string | `[resourceGroup().location]` | | Location where all resources will be created. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `natRules` | _[natRules](natRules/readme.md)_ array | `[]` | | List of all the NAT Rules to associate with the gateway. | | `tags` | object | `{object}` | | Tags of the resource. | | `vpnGatewayScaleUnit` | int | `2` | | The scale unit for this VPN gateway. | @@ -224,9 +224,6 @@ module vpnGateways './Microsoft.Network/vpnGateways/deploy.bicep' = { "name": { "value": "<>-az-vpngw-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "virtualHubResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/<>-az-vhub-x-001" }, @@ -299,7 +296,6 @@ module vpnGateways './Microsoft.Network/vpnGateways/deploy.bicep' = { name: '${uniqueString(deployment().name)}-vpnGateways' params: { name: '<>-az-vpngw-x-001' - lock: 'CanNotDelete' virtualHubResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualHubs/<>-az-vhub-x-001' bgpSettings: { asn: 65515 diff --git a/arm/Microsoft.Network/vpnSites/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Network/vpnSites/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Network/vpnSites/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Network/vpnSites/.bicep/nested_rbac.bicep index 52b018b360..6aee362da0 100644 --- a/arm/Microsoft.Network/vpnSites/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Network/vpnSites/.bicep/nested_rbac.bicep @@ -31,7 +31,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev properties: { roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: vpnSite }] diff --git a/arm/Microsoft.Network/vpnSites/.parameters/parameters.json b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json index 94c534c5e4..39ec5e30c9 100644 --- a/arm/Microsoft.Network/vpnSites/.parameters/parameters.json +++ b/arm/Microsoft.Network/vpnSites/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-vSite-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "tags": { "value": { "tagA": "valueA", diff --git a/arm/Microsoft.Network/vpnSites/deploy.bicep b/arm/Microsoft.Network/vpnSites/deploy.bicep index 0c62973913..333b81739f 100644 --- a/arm/Microsoft.Network/vpnSites/deploy.bicep +++ b/arm/Microsoft.Network/vpnSites/deploy.bicep @@ -35,12 +35,12 @@ param enableDefaultTelemetry bool = true param vpnSiteLinks array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -77,16 +77,16 @@ resource vpnSite 'Microsoft.Network/vpnSites@2021-05-01' = { } } -resource vpnSite_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource vpnSite_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${vpnSite.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: vpnSite } -module vpnSite_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module vpnSite_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-VWan-Rbac-${index}' params: { principalIds: roleAssignment.principalIds diff --git a/arm/Microsoft.Network/vpnSites/readme.md b/arm/Microsoft.Network/vpnSites/readme.md index 7005812d42..700bf42381 100644 --- a/arm/Microsoft.Network/vpnSites/readme.md +++ b/arm/Microsoft.Network/vpnSites/readme.md @@ -35,7 +35,7 @@ This module deploys a VPN Site. | `ipAddress` | string | `''` | | The IP-address for the VPN-site. Note: This is a deprecated property, please use the corresponding VpnSiteLinks property instead. | | `isSecuritySite` | bool | `False` | | IsSecuritySite flag. | | `location` | string | `[resourceGroup().location]` | | Location where all resources will be created. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `o365Policy` | object | `{object}` | | The Office365 breakout policy. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -384,9 +384,6 @@ module vpnSites './Microsoft.Network/vpnSites/deploy.bicep' = { "name": { "value": "<>-az-vSite-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "tags": { "value": { "tagA": "valueA", @@ -468,7 +465,6 @@ module vpnSites './Microsoft.Network/vpnSites/deploy.bicep' = { name: '${uniqueString(deployment().name)}-vpnSites' params: { name: '<>-az-vSite-x-001' - lock: 'CanNotDelete' tags: { tagA: 'valueA' tagB: 'valueB' diff --git a/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_rbac.bicep index e2c0ea3228..b0a11be06c 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_rbac.bicep @@ -54,7 +54,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: logAnalyticsWorkspace }] diff --git a/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_solutions.bicep b/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_solutions.bicep new file mode 100644 index 0000000000..341438497c --- /dev/null +++ b/arm/Microsoft.OperationalInsights/workspaces/.bicep/nested_solutions.bicep @@ -0,0 +1,32 @@ +param gallerySolution string +param logAnalyticsWorkspaceName string +param location string +param product string = 'OMSGallery' +param publisher string = 'Microsoft' + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { + name: logAnalyticsWorkspaceName +} + +resource solution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = { + name: '${gallerySolution}(${logAnalyticsWorkspace.name})' + location: location + properties: { + workspaceResourceId: logAnalyticsWorkspace.id + } + plan: { + name: '${gallerySolution}(${logAnalyticsWorkspace.name})' + product: '${product}/${gallerySolution}' + promotionCode: '' + publisher: publisher + } +} + +@description('The resource ID of the deployed solution') +output resourceId string = solution.id + +@description('The resource group where the solution will be deployed') +output resourceGroupName string = resourceGroup().name + +@description('The name of the deployed solution') +output name string = solution.name diff --git a/arm/Microsoft.OperationalInsights/workspaces/.parameters/min.parameters.json b/arm/Microsoft.OperationalInsights/workspaces/.parameters/min.parameters.json index 97fc2fafe4..0220489395 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/.parameters/min.parameters.json +++ b/arm/Microsoft.OperationalInsights/workspaces/.parameters/min.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-law-min-001" + "value": "<>-az-la-min-001" } } } diff --git a/arm/Microsoft.OperationalInsights/workspaces/.parameters/parameters.json b/arm/Microsoft.OperationalInsights/workspaces/.parameters/parameters.json index e69b24d3ff..2f8d6d9b88 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.OperationalInsights/workspaces/.parameters/parameters.json @@ -3,10 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-law-x-001" - }, - "lock": { - "value": "CanNotDelete" + "value": "<>-az-la-x-001" }, "publicNetworkAccessForIngestion": { "value": "Disabled" @@ -34,7 +31,7 @@ "value": [ { "name": "Automation", - "resourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Automation/automationAccounts/adp-<>-az-aut-x-001" + "resourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Automation/automationAccounts/adp-<>-wd-aut-x-001" } ] }, diff --git a/arm/Microsoft.OperationalInsights/workspaces/deploy.bicep b/arm/Microsoft.OperationalInsights/workspaces/deploy.bicep index ef5d91997d..a4e5217b9c 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/deploy.bicep +++ b/arm/Microsoft.OperationalInsights/workspaces/deploy.bicep @@ -25,7 +25,7 @@ param savedSearches array = [] @description('Optional. LAW data sources to configure.') param dataSources array = [] -@description('Optional. List of gallerySolutions to be created in the log analytics workspace.') +@description('Optional. LAW gallerySolutions from the gallery.') param gallerySolutions array = [] @description('Optional. Number of days data will be retained for.') @@ -72,12 +72,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -128,7 +128,7 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { var logAnalyticsSearchVersion = 1 -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -183,7 +183,7 @@ module logAnalyticsWorkspace_storageInsightConfigs 'storageInsightConfigs/deploy containers: contains(storageInsightsConfig, 'containers') ? storageInsightsConfig.containers : [] tables: contains(storageInsightsConfig, 'tables') ? storageInsightsConfig.tables : [] storageAccountId: storageInsightsConfig.storageAccountId - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -192,9 +192,9 @@ module logAnalyticsWorkspace_linkedServices 'linkedServices/deploy.bicep' = [for params: { logAnalyticsWorkspaceName: logAnalyticsWorkspace.name name: linkedService.name - resourceId: contains(linkedService, 'resourceId') ? linkedService.resourceId : '' + resourceId: linkedService.resourceId writeAccessResourceId: contains(linkedService, 'writeAccessResourceId') ? linkedService.writeAccessResourceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -210,7 +210,7 @@ module logAnalyticsWorkspace_savedSearches 'savedSearches/deploy.bicep' = [for ( functionAlias: contains(savedSearch, 'functionAlias') ? savedSearch.functionAlias : '' functionParameters: contains(savedSearch, 'functionParameters') ? savedSearch.functionParameters : '' version: contains(savedSearch, 'version') ? savedSearch.version : 2 - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -231,32 +231,31 @@ module logAnalyticsWorkspace_dataSources 'dataSources/deploy.bicep' = [for (data syslogName: contains(dataSource, 'syslogName') ? dataSource.syslogName : '' syslogSeverities: contains(dataSource, 'syslogSeverities') ? dataSource.syslogSeverities : [] performanceCounters: contains(dataSource, 'performanceCounters') ? dataSource.performanceCounters : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -module logAnalyticsWorkspace_solutions '../../Microsoft.OperationsManagement/solutions/deploy.bicep' = [for (gallerySolution, index) in gallerySolutions: if (!empty(gallerySolutions)) { +module logAnalyticsWorkspace_solutions '.bicep/nested_solutions.bicep' = [for (gallerySolution, index) in gallerySolutions: if (!empty(gallerySolutions)) { name: '${uniqueString(deployment().name, location)}-LAW-Solution-${index}' params: { - name: gallerySolution.name + gallerySolution: gallerySolution.name location: location logAnalyticsWorkspaceName: logAnalyticsWorkspace.name - product: contains(gallerySolution, 'product') ? gallerySolution.product : 'OMSGallery' - publisher: contains(gallerySolution, 'publisher') ? gallerySolution.publisher : 'Microsoft' - enableDefaultTelemetry: enableReferencedModulesTelemetry + product: gallerySolution.product + publisher: gallerySolution.publisher } }] -resource logAnalyticsWorkspace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource logAnalyticsWorkspace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${logAnalyticsWorkspace.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: logAnalyticsWorkspace } -module logAnalyticsWorkspace_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module logAnalyticsWorkspace_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-LAW-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.OperationalInsights/workspaces/linkedServices/deploy.bicep b/arm/Microsoft.OperationalInsights/workspaces/linkedServices/deploy.bicep index 73f552cbd0..bc67a4e5f5 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/linkedServices/deploy.bicep +++ b/arm/Microsoft.OperationalInsights/workspaces/linkedServices/deploy.bicep @@ -42,11 +42,11 @@ resource linkedService 'Microsoft.OperationalInsights/workspaces/linkedServices@ } } -@description('The name of the deployed linked service.') -output name string = linkedService.name - @description('The resource ID of the deployed linked service.') output resourceId string = linkedService.id @description('The resource group where the linked service is deployed.') output resourceGroupName string = resourceGroup().name + +@description('The name of the deployed linked service.') +output name string = linkedService.name diff --git a/arm/Microsoft.OperationalInsights/workspaces/readme.md b/arm/Microsoft.OperationalInsights/workspaces/readme.md index 90c8ddfcb0..169beb411a 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/readme.md +++ b/arm/Microsoft.OperationalInsights/workspaces/readme.md @@ -45,10 +45,10 @@ This template deploys a log analytics workspace. | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of a log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `gallerySolutions` | array | `[]` | | List of gallerySolutions to be created in the log analytics workspace. | +| `gallerySolutions` | array | `[]` | | LAW gallerySolutions from the gallery. | | `linkedServices` | _[linkedServices](linkedServices/readme.md)_ array | `[]` | | List of services to be linked. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `publicNetworkAccessForIngestion` | string | `'Enabled'` | `[Enabled, Disabled]` | The network access type for accessing Log Analytics ingestion. | | `publicNetworkAccessForQuery` | string | `'Enabled'` | `[Enabled, Disabled]` | The network access type for accessing Log Analytics query. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -61,8 +61,6 @@ This template deploys a log analytics workspace. ### Parameter Usage: `gallerySolutions` -Ref cross-referenced _[solutions](../../Microsoft.OperationsManagement/solutions/readme.md)_ -
Parameter JSON format @@ -72,122 +70,122 @@ Ref cross-referenced _[solutions](../../Microsoft.OperationsManagement/solutions "value": [ { "name": "AgentHealthAssessment", - "product": "OMSGallery", + "product": "OMSGallery/AgentHealthAssessment", "publisher": "Microsoft" }, { "name": "AlertManagement", - "product": "OMSGallery", + "product": "OMSGallery/AlertManagement", "publisher": "Microsoft" }, { "name": "AntiMalware", - "product": "OMSGallery", + "product": "OMSGallery/AntiMalware", "publisher": "Microsoft" }, { "name": "AzureActivity", - "product": "OMSGallery", + "product": "OMSGallery/AzureActivity", "publisher": "Microsoft" }, { "name": "AzureAutomation", - "product": "OMSGallery", + "product": "OMSGallery/AzureAutomation", "publisher": "Microsoft" }, { "name": "AzureCdnCoreAnalytics", - "product": "OMSGallery", + "product": "OMSGallery/AzureCdnCoreAnalytics", "publisher": "Microsoft" }, { "name": "AzureDataFactoryAnalytics", - "product": "OMSGallery", + "product": "OMSGallery/AzureDataFactoryAnalytics", "publisher": "Microsoft" }, { "name": "AzureNSGAnalytics", - "product": "OMSGallery", + "product": "OMSGallery/AzureNSGAnalytics", "publisher": "Microsoft" }, { "name": "AzureSQLAnalytics", - "product": "OMSGallery", + "product": "OMSGallery/AzureSQLAnalytics", "publisher": "Microsoft" }, { "name": "ChangeTracking", - "product": "OMSGallery", + "product": "OMSGallery/ChangeTracking", "publisher": "Microsoft" }, { "name": "Containers", - "product": "OMSGallery", + "product": "OMSGallery/Containers", "publisher": "Microsoft" }, { "name": "InfrastructureInsights", - "product": "OMSGallery", + "product": "OMSGallery/InfrastructureInsights", "publisher": "Microsoft" }, { "name": "KeyVaultAnalytics", - "product": "OMSGallery", + "product": "OMSGallery/KeyVaultAnalytics", "publisher": "Microsoft" }, { "name": "LogicAppsManagement", - "product": "OMSGallery", + "product": "OMSGallery/LogicAppsManagement", "publisher": "Microsoft" }, { "name": "NetworkMonitoring", - "product": "OMSGallery", + "product": "OMSGallery/NetworkMonitoring", "publisher": "Microsoft" }, { "name": "Security", - "product": "OMSGallery", + "product": "OMSGallery/Security", "publisher": "Microsoft" }, { "name": "SecurityCenterFree", - "product": "OMSGallery", + "product": "OMSGallery/SecurityCenterFree", "publisher": "Microsoft" }, { "name": "ServiceFabric", - "product": "OMSGallery", + "product": "OMSGallery/ServiceFabric", "publisher": "Microsoft" }, { "name": "ServiceMap", - "product": "OMSGallery", + "product": "OMSGallery/ServiceMap", "publisher": "Microsoft" }, { "name": "SQLAssessment", - "product": "OMSGallery", + "product": "OMSGallery/SQLAssessment", "publisher": "Microsoft" }, { "name": "Updates", - "product": "OMSGallery", + "product": "OMSGallery/Updates", "publisher": "Microsoft" }, { "name": "VMInsights", - "product": "OMSGallery", + "product": "OMSGallery/VMInsights", "publisher": "Microsoft" }, { "name": "WireData2", - "product": "OMSGallery", + "product": "OMSGallery/WireData2", "publisher": "Microsoft" }, { "name": "WaaSUpdateInsights", - "product": "OMSGallery", + "product": "OMSGallery/WaaSUpdateInsights", "publisher": "Microsoft" } ] @@ -204,122 +202,122 @@ Ref cross-referenced _[solutions](../../Microsoft.OperationsManagement/solutions gallerySolutions: [ { name: 'AgentHealthAssessment' - product: 'OMSGallery' + product: 'OMSGallery/AgentHealthAssessment' publisher: 'Microsoft' } { name: 'AlertManagement' - product: 'OMSGallery' + product: 'OMSGallery/AlertManagement' publisher: 'Microsoft' } { name: 'AntiMalware' - product: 'OMSGallery' + product: 'OMSGallery/AntiMalware' publisher: 'Microsoft' } { name: 'AzureActivity' - product: 'OMSGallery' + product: 'OMSGallery/AzureActivity' publisher: 'Microsoft' } { name: 'AzureAutomation' - product: 'OMSGallery' + product: 'OMSGallery/AzureAutomation' publisher: 'Microsoft' } { name: 'AzureCdnCoreAnalytics' - product: 'OMSGallery' + product: 'OMSGallery/AzureCdnCoreAnalytics' publisher: 'Microsoft' } { name: 'AzureDataFactoryAnalytics' - product: 'OMSGallery' + product: 'OMSGallery/AzureDataFactoryAnalytics' publisher: 'Microsoft' } { name: 'AzureNSGAnalytics' - product: 'OMSGallery' + product: 'OMSGallery/AzureNSGAnalytics' publisher: 'Microsoft' } { name: 'AzureSQLAnalytics' - product: 'OMSGallery' + product: 'OMSGallery/AzureSQLAnalytics' publisher: 'Microsoft' } { name: 'ChangeTracking' - product: 'OMSGallery' + product: 'OMSGallery/ChangeTracking' publisher: 'Microsoft' } { name: 'Containers' - product: 'OMSGallery' + product: 'OMSGallery/Containers' publisher: 'Microsoft' } { name: 'InfrastructureInsights' - product: 'OMSGallery' + product: 'OMSGallery/InfrastructureInsights' publisher: 'Microsoft' } { name: 'KeyVaultAnalytics' - product: 'OMSGallery' + product: 'OMSGallery/KeyVaultAnalytics' publisher: 'Microsoft' } { name: 'LogicAppsManagement' - product: 'OMSGallery' + product: 'OMSGallery/LogicAppsManagement' publisher: 'Microsoft' } { name: 'NetworkMonitoring' - product: 'OMSGallery' + product: 'OMSGallery/NetworkMonitoring' publisher: 'Microsoft' } { name: 'Security' - product: 'OMSGallery' + product: 'OMSGallery/Security' publisher: 'Microsoft' } { name: 'SecurityCenterFree' - product: 'OMSGallery' + product: 'OMSGallery/SecurityCenterFree' publisher: 'Microsoft' } { name: 'ServiceFabric' - product: 'OMSGallery' + product: 'OMSGallery/ServiceFabric' publisher: 'Microsoft' } { name: 'ServiceMap' - product: 'OMSGallery' + product: 'OMSGallery/ServiceMap' publisher: 'Microsoft' } { name: 'SQLAssessment' - product: 'OMSGallery' + product: 'OMSGallery/SQLAssessment' publisher: 'Microsoft' } { name: 'Updates' - product: 'OMSGallery' + product: 'OMSGallery/Updates' publisher: 'Microsoft' } { name: 'VMInsights' - product: 'OMSGallery' + product: 'OMSGallery/VMInsights' publisher: 'Microsoft' } { name: 'WireData2' - product: 'OMSGallery' + product: 'OMSGallery/WireData2' publisher: 'Microsoft' } { name: 'WaaSUpdateInsights' - product: 'OMSGallery' + product: 'OMSGallery/WaaSUpdateInsights' publisher: 'Microsoft' } ] @@ -452,7 +450,7 @@ tags: { "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-law-min-001" + "value": "<>-az-la-min-001" } } } @@ -469,7 +467,7 @@ tags: { module workspaces './Microsoft.OperationalInsights/workspaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-workspaces' params: { - name: '<>-az-law-min-001' + name: '<>-az-la-min-001' } ``` @@ -488,10 +486,7 @@ module workspaces './Microsoft.OperationalInsights/workspaces/deploy.bicep' = { "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-law-x-001" - }, - "lock": { - "value": "CanNotDelete" + "value": "<>-az-la-x-001" }, "publicNetworkAccessForIngestion": { "value": "Disabled" @@ -519,7 +514,7 @@ module workspaces './Microsoft.OperationalInsights/workspaces/deploy.bicep' = { "value": [ { "name": "Automation", - "resourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Automation/automationAccounts/adp-<>-az-aut-x-001" + "resourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Automation/automationAccounts/adp-<>-wd-aut-x-001" } ] }, @@ -667,8 +662,7 @@ module workspaces './Microsoft.OperationalInsights/workspaces/deploy.bicep' = { module workspaces './Microsoft.OperationalInsights/workspaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-workspaces' params: { - name: '<>-az-law-x-001' - lock: 'CanNotDelete' + name: '<>-az-la-x-001' publicNetworkAccessForIngestion: 'Disabled' publicNetworkAccessForQuery: 'Disabled' dailyQuotaGb: 10 @@ -686,7 +680,7 @@ module workspaces './Microsoft.OperationalInsights/workspaces/deploy.bicep' = { linkedServices: [ { name: 'Automation' - resourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Automation/automationAccounts/adp-<>-az-aut-x-001' + resourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Automation/automationAccounts/adp-<>-wd-aut-x-001' } ] savedSearches: [ diff --git a/arm/Microsoft.OperationsManagement/solutions/.parameters/min.parameters.json b/arm/Microsoft.OperationsManagement/solutions/.parameters/min.parameters.json deleted file mode 100644 index 6844bb4688..0000000000 --- a/arm/Microsoft.OperationsManagement/solutions/.parameters/min.parameters.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "Updates" - }, - "logAnalyticsWorkspaceName": { - "value": "adp-<>-az-law-sol-001" - } - } -} diff --git a/arm/Microsoft.OperationsManagement/solutions/.parameters/ms.parameters.json b/arm/Microsoft.OperationsManagement/solutions/.parameters/ms.parameters.json deleted file mode 100644 index c7dcb66400..0000000000 --- a/arm/Microsoft.OperationsManagement/solutions/.parameters/ms.parameters.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "AzureAutomation" - }, - "logAnalyticsWorkspaceName": { - "value": "adp-<>-az-law-sol-001" - }, - "product": { - "value": "OMSGallery" - }, - "publisher": { - "value": "Microsoft" - } - } -} diff --git a/arm/Microsoft.OperationsManagement/solutions/.parameters/nonms.parameters.json b/arm/Microsoft.OperationsManagement/solutions/.parameters/nonms.parameters.json deleted file mode 100644 index a040bf8d2f..0000000000 --- a/arm/Microsoft.OperationsManagement/solutions/.parameters/nonms.parameters.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "nonmsTestSolution" - }, - "logAnalyticsWorkspaceName": { - "value": "adp-<>-az-law-sol-001" - }, - "product": { - "value": "nonmsTestSolutionProduct" - }, - "publisher": { - "value": "nonmsTestSolutionPublisher" - } - } -} diff --git a/arm/Microsoft.OperationsManagement/solutions/deploy.bicep b/arm/Microsoft.OperationsManagement/solutions/deploy.bicep deleted file mode 100644 index 3438041ddd..0000000000 --- a/arm/Microsoft.OperationsManagement/solutions/deploy.bicep +++ /dev/null @@ -1,63 +0,0 @@ -@description('Required. Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`.') -param name string - -@description('Required. Name of the Log Analytics workspace where the solution will be deployed/enabled.') -param logAnalyticsWorkspaceName string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive.') -param product string = 'OMSGallery' - -@description('Optional. The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`.') -param publisher string = 'Microsoft' - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = { - name: logAnalyticsWorkspaceName -} - -var solutionName = publisher == 'Microsoft' ? '${name}(${logAnalyticsWorkspace.name})' : name - -var solutionProduct = publisher == 'Microsoft' ? 'OMSGallery/${name}' : product - -resource solution 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = { - name: solutionName - location: location - properties: { - workspaceResourceId: logAnalyticsWorkspace.id - } - plan: { - name: solutionName - promotionCode: '' - product: solutionProduct - publisher: publisher - } -} - -@description('The name of the deployed solution.') -output name string = solution.name - -@description('The resource ID of the deployed solution.') -output resourceId string = solution.id - -@description('The resource group where the solution is deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The location the resource was deployed into.') -output location string = solution.location diff --git a/arm/Microsoft.OperationsManagement/solutions/readme.md b/arm/Microsoft.OperationsManagement/solutions/readme.md deleted file mode 100644 index 421b0fcfc8..0000000000 --- a/arm/Microsoft.OperationsManagement/solutions/readme.md +++ /dev/null @@ -1,180 +0,0 @@ -# OperationsManagement Solutions `[Microsoft.OperationsManagement/solutions]` - -This module deploys OperationsManagement Solutions. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) -- [Deployment examples](#Deployment-examples) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.OperationsManagement/solutions` | [2015-11-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationsManagement/2015-11-01-preview/solutions) | - -## Parameters - -**Required parameters** -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `logAnalyticsWorkspaceName` | string | Name of the Log Analytics workspace where the solution will be deployed/enabled. | -| `name` | string | Name of the solution. For Microsoft published gallery solution the target solution resource name will be composed as `{name}({logAnalyticsWorkspaceName})`. | - -**Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | -| `product` | string | `'OMSGallery'` | The product of the deployed solution. For Microsoft published gallery solution it should be `OMSGallery` and the target solution resource product will be composed as `OMSGallery/{name}`. For third party solution, it can be anything. This is case sensitive. | -| `publisher` | string | `'Microsoft'` | The publisher name of the deployed solution. For Microsoft published gallery solution, it is `Microsoft`. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the deployed solution. | -| `resourceGroupName` | string | The resource group where the solution is deployed. | -| `resourceId` | string | The resource ID of the deployed solution. | - -## Deployment examples - -

Example 1

- -
- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "Updates" - }, - "logAnalyticsWorkspaceName": { - "value": "adp-<>-az-law-sol-001" - } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -module solutions './Microsoft.OperationsManagement/solutions/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-solutions' - params: { - name: 'Updates' - logAnalyticsWorkspaceName: 'adp-<>-az-law-sol-001' - } -``` - -
-

- -

Example 2

- -
- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "AzureAutomation" - }, - "logAnalyticsWorkspaceName": { - "value": "adp-<>-az-law-sol-001" - }, - "product": { - "value": "OMSGallery" - }, - "publisher": { - "value": "Microsoft" - } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -module solutions './Microsoft.OperationsManagement/solutions/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-solutions' - params: { - name: 'AzureAutomation' - logAnalyticsWorkspaceName: 'adp-<>-az-law-sol-001' - product: 'OMSGallery' - publisher: 'Microsoft' - } -``` - -
-

- -

Example 3

- -
- -via JSON Parameter file - -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "nonmsTestSolution" - }, - "logAnalyticsWorkspaceName": { - "value": "adp-<>-az-law-sol-001" - }, - "product": { - "value": "nonmsTestSolutionProduct" - }, - "publisher": { - "value": "nonmsTestSolutionPublisher" - } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -module solutions './Microsoft.OperationsManagement/solutions/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-solutions' - params: { - name: 'nonmsTestSolution' - logAnalyticsWorkspaceName: 'adp-<>-az-law-sol-001' - product: 'nonmsTestSolutionProduct' - publisher: 'nonmsTestSolutionPublisher' - } -``` - -
-

diff --git a/arm/Microsoft.OperationsManagement/solutions/version.json b/arm/Microsoft.OperationsManagement/solutions/version.json deleted file mode 100644 index 41f66cc990..0000000000 --- a/arm/Microsoft.OperationsManagement/solutions/version.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.1" -} diff --git a/arm/Microsoft.RecoveryServices/vaults/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.RecoveryServices/vaults/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.RecoveryServices/vaults/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.RecoveryServices/vaults/.bicep/nested_rbac.bicep index a16c2390fa..f3f449bb7c 100644 --- a/arm/Microsoft.RecoveryServices/vaults/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/.bicep/nested_rbac.bicep @@ -54,7 +54,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: rsv }] diff --git a/arm/Microsoft.RecoveryServices/vaults/.parameters/parameters.json b/arm/Microsoft.RecoveryServices/vaults/.parameters/parameters.json index 67f01a8bb6..dead4aa14b 100644 --- a/arm/Microsoft.RecoveryServices/vaults/.parameters/parameters.json +++ b/arm/Microsoft.RecoveryServices/vaults/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-rsv-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "backupConfig": { "value": { "enhancedSecurityState": "Disabled", diff --git a/arm/Microsoft.RecoveryServices/vaults/backupConfig/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/backupConfig/deploy.bicep index 195fab06f3..9c4cee81d0 100644 --- a/arm/Microsoft.RecoveryServices/vaults/backupConfig/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/backupConfig/deploy.bicep @@ -49,6 +49,9 @@ param storageTypeState string = 'Locked' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. Is soft delete feature state editable.') +param isSoftDeleteFeatureStateEditable bool = true + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -61,11 +64,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource rsv 'Microsoft.RecoveryServices/vaults@2021-12-01' existing = { +resource rsv 'Microsoft.RecoveryServices/vaults@2022-02-01' existing = { name: recoveryVaultName } -resource backupConfig 'Microsoft.RecoveryServices/vaults/backupconfig@2021-10-01' = { +resource backupConfig 'Microsoft.RecoveryServices/vaults/backupconfig@2022-02-01' = { name: name parent: rsv properties: { @@ -75,6 +78,7 @@ resource backupConfig 'Microsoft.RecoveryServices/vaults/backupconfig@2021-10-01 storageModelType: storageModelType storageType: storageType storageTypeState: storageTypeState + isSoftDeleteFeatureStateEditable: isSoftDeleteFeatureStateEditable } } diff --git a/arm/Microsoft.RecoveryServices/vaults/backupConfig/readme.md b/arm/Microsoft.RecoveryServices/vaults/backupConfig/readme.md index 5e4530261b..21b28f6570 100644 --- a/arm/Microsoft.RecoveryServices/vaults/backupConfig/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/backupConfig/readme.md @@ -12,7 +12,7 @@ This module deploys recovery services vault backup config. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupconfig` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-10-01/vaults/backupconfig) | +| `Microsoft.RecoveryServices/vaults/backupconfig` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupconfig) | ## Parameters @@ -26,6 +26,7 @@ This module deploys recovery services vault backup config. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `enhancedSecurityState` | string | `'Enabled'` | `[Disabled, Enabled]` | Enable this setting to protect hybrid backups against accidental deletes and add additional layer of authentication for critical operations. | +| `isSoftDeleteFeatureStateEditable` | bool | `True` | | Is soft delete feature state editable. | | `name` | string | `'vaultconfig'` | | Name of the Azure Recovery Service Vault Backup Policy. | | `resourceGuardOperationRequests` | array | `[]` | | ResourceGuard Operation Requests. | | `softDeleteFeatureState` | string | `'Enabled'` | `[Disabled, Enabled]` | Enable this setting to protect backup data for Azure VM, SQL Server in Azure VM and SAP HANA in Azure VM from accidental deletes. | diff --git a/arm/Microsoft.RecoveryServices/vaults/backupPolicies/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/backupPolicies/deploy.bicep index 6c6360d4c5..c6b28a9134 100644 --- a/arm/Microsoft.RecoveryServices/vaults/backupPolicies/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/backupPolicies/deploy.bicep @@ -22,11 +22,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource rsv 'Microsoft.RecoveryServices/vaults@2021-12-01' existing = { +resource rsv 'Microsoft.RecoveryServices/vaults@2022-02-01' existing = { name: recoveryVaultName } -resource backupPolicy 'Microsoft.RecoveryServices/vaults/backupPolicies@2021-08-01' = { +resource backupPolicy 'Microsoft.RecoveryServices/vaults/backupPolicies@2022-02-01' = { name: name parent: rsv properties: backupPolicyProperties diff --git a/arm/Microsoft.RecoveryServices/vaults/backupPolicies/readme.md b/arm/Microsoft.RecoveryServices/vaults/backupPolicies/readme.md index 23d8bd9f15..ee5bc84c9f 100644 --- a/arm/Microsoft.RecoveryServices/vaults/backupPolicies/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/backupPolicies/readme.md @@ -12,7 +12,7 @@ This module deploys a Backup Policy for a Recovery Services Vault | Resource Type | API Version | | :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupPolicies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupPolicies) | +| `Microsoft.RecoveryServices/vaults/backupPolicies` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupPolicies) | ## Parameters diff --git a/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/deploy.bicep index b6e4c37347..4c692c390a 100644 --- a/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/deploy.bicep @@ -16,6 +16,22 @@ param storageModelType string = 'GeoRedundant' @description('Optional. Opt in details of Cross Region Restore feature.') param crossRegionRestoreFlag bool = true +@description('Optional. Change Vault Dedup state.') +@allowed([ + 'Disabled' + 'Enabled' + 'Invalid' +]) +param dedupState string = 'Disabled' + +@description('Optional. Change Vault x-cool state.') +@allowed([ + 'Disabled' + 'Enabled' + 'Invalid' +]) +param xcoolState string = 'Disabled' + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -31,16 +47,18 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource rsv 'Microsoft.RecoveryServices/vaults@2021-12-01' existing = { +resource rsv 'Microsoft.RecoveryServices/vaults@2022-02-01' existing = { name: recoveryVaultName } -resource backupStorageConfig 'Microsoft.RecoveryServices/vaults/backupstorageconfig@2021-08-01' = { +resource backupStorageConfig 'Microsoft.RecoveryServices/vaults/backupstorageconfig@2022-02-01' = { name: name parent: rsv properties: { storageModelType: storageModelType crossRegionRestoreFlag: crossRegionRestoreFlag + dedupState: dedupState + xcoolState: xcoolState } } diff --git a/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/readme.md b/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/readme.md index 47b0868c02..6c743a494d 100644 --- a/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/backupStorageConfig/readme.md @@ -11,7 +11,7 @@ This module deploys the Backup Storage Configuration for the Recovery Service Va | Resource Type | API Version | | :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupstorageconfig` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupstorageconfig) | +| `Microsoft.RecoveryServices/vaults/backupstorageconfig` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupstorageconfig) | ## Parameters @@ -24,9 +24,11 @@ This module deploys the Backup Storage Configuration for the Recovery Service Va | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `crossRegionRestoreFlag` | bool | `True` | | Opt in details of Cross Region Restore feature. | +| `dedupState` | string | `'Disabled'` | `[Disabled, Enabled, Invalid]` | Change Vault Dedup state. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `name` | string | `'vaultstorageconfig'` | | The name of the backup storage config. | | `storageModelType` | string | `'GeoRedundant'` | `[GeoRedundant, LocallyRedundant, ReadAccessGeoZoneRedundant, ZoneRedundant]` | Change Vault Storage Type (Works if vault has not registered any backup instance). | +| `xcoolState` | string | `'Disabled'` | `[Disabled, Enabled, Invalid]` | Change Vault x-cool state. | ## Outputs diff --git a/arm/Microsoft.RecoveryServices/vaults/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/deploy.bicep index 2c7c040855..572ef79ede 100644 --- a/arm/Microsoft.RecoveryServices/vaults/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/deploy.bicep @@ -196,6 +196,8 @@ module rsv_backupStorageConfiguration 'backupStorageConfig/deploy.bicep' = if (! storageModelType: backupStorageConfig.storageModelType crossRegionRestoreFlag: backupStorageConfig.crossRegionRestoreFlag enableDefaultTelemetry: enableReferencedModulesTelemetry + dedupState: backupStorageConfig.dedupState + xcoolState: backupStorageConfig.xcoolState } } @@ -235,6 +237,7 @@ module rsv_backupConfig 'backupConfig/deploy.bicep' = if (!empty(backupConfig)) storageModelType: contains(backupConfig, 'storageModelType') ? backupConfig.storageModelType : 'GeoRedundant' storageType: contains(backupConfig, 'storageType') ? backupConfig.storageType : 'GeoRedundant' storageTypeState: contains(backupConfig, 'storageTypeState') ? backupConfig.storageTypeState : 'Locked' + isSoftDeleteFeatureStateEditable: contains(backupConfig, 'isSoftDeleteFeatureStateEditable') ? backupConfig.isSoftDeleteFeatureStateEditable : true enableDefaultTelemetry: enableReferencedModulesTelemetry } } diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/deploy.bicep index cb49b30499..b3d38fdf49 100644 --- a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/deploy.bicep @@ -4,9 +4,6 @@ param recoveryVaultName string @description('Required. Name of the Azure Recovery Service Vault Protection Container.') param name string -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - @description('Optional. Backup management type to execute the current Protection Container job.') @allowed([ 'AzureBackupServer' @@ -28,9 +25,6 @@ param sourceResourceId string = '' @description('Optional. Friendly name of the Protection Container.') param friendlyName string = '' -@description('Optional. Protected items to register in the container.') -param protectedItems array = [] - @description('Optional. Type of the container.') @allowed([ 'AzureBackupServerContainer' @@ -61,7 +55,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource protectionContainer 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers@2021-08-01' = { +resource protectionContainer 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers@2022-02-01' = { name: '${recoveryVaultName}/Azure/${name}' properties: { sourceResourceId: !empty(sourceResourceId) ? sourceResourceId : null @@ -71,23 +65,6 @@ resource protectionContainer 'Microsoft.RecoveryServices/vaults/backupFabrics/pr } } -module protectionContainer_protectedItems 'protectedItems/deploy.bicep' = [for (protectedItem, index) in protectedItems: { - name: '${uniqueString(deployment().name, location)}-ProtectedItem-${index}' - params: { - policyId: protectedItem.policyId - name: protectedItem.name - protectedItemType: protectedItem.protectedItemType - protectionContainerName: name - recoveryVaultName: recoveryVaultName - sourceResourceId: protectedItem.sourceResourceId - location: location - enableDefaultTelemetry: enableDefaultTelemetry - } - dependsOn: [ - protectionContainer - ] -}] - @description('The name of the Resource Group the Protection Container was created in.') output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/deploy.bicep deleted file mode 100644 index bc2b5c610d..0000000000 --- a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/deploy.bicep +++ /dev/null @@ -1,66 +0,0 @@ -@description('Required. Name of the resource.') -param name string - -@description('Conditional. Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment.') -param protectionContainerName string - -@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') -param recoveryVaultName string - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@allowed([ - 'AzureFileShareProtectedItem' - 'AzureVmWorkloadSAPAseDatabase' - 'AzureVmWorkloadSAPHanaDatabase' - 'AzureVmWorkloadSQLDatabase' - 'DPMProtectedItem' - 'GenericProtectedItem' - 'MabFileFolderProtectedItem' - 'Microsoft.ClassicCompute/virtualMachines' - 'Microsoft.Compute/virtualMachines' - 'Microsoft.Sql/servers/databases' -]) -@description('Required. The backup item type.') -param protectedItemType string - -@description('Required. ID of the backup policy with which this item is backed up.') -param policyId string - -@description('Required. Resource ID of the resource to back up.') -param sourceResourceId string - -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') -param enableDefaultTelemetry bool = true - -resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { - name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - } - } -} - -resource protectedItem 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems@2021-06-01' = { - name: '${recoveryVaultName}/Azure/${protectionContainerName}/${name}' - location: location - properties: { - protectedItemType: any(protectedItemType) - policyId: policyId - sourceResourceId: sourceResourceId - } -} - -@description('The name of the Resource Group the protected item was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The resource ID of the protected item.') -output resourceId string = protectedItem.id - -@description('The Name of the protected item.') -output name string = protectedItem.name diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/readme.md b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/readme.md deleted file mode 100644 index fb3a8f11bc..0000000000 --- a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/readme.md +++ /dev/null @@ -1,46 +0,0 @@ -# Recovery Service Vault Protection Container Protected Item `[Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems]` - -This module deploys a Protection Container Protected Item for a Recovery Services Vault - -## Navigation - -- [Resource types](#Resource-types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) - -## Resource types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-06-01/vaults/backupFabrics/protectionContainers/protectedItems) | - -## Parameters - -**Required parameters** -| Parameter Name | Type | Allowed Values | Description | -| :-- | :-- | :-- | :-- | -| `name` | string | | Name of the resource. | -| `policyId` | string | | ID of the backup policy with which this item is backed up. | -| `protectedItemType` | string | `[AzureFileShareProtectedItem, AzureVmWorkloadSAPAseDatabase, AzureVmWorkloadSAPHanaDatabase, AzureVmWorkloadSQLDatabase, DPMProtectedItem, GenericProtectedItem, MabFileFolderProtectedItem, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, Microsoft.Sql/servers/databases]` | The backup item type. | -| `sourceResourceId` | string | | Resource ID of the resource to back up. | - -**Conditional parameters** -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `protectionContainerName` | string | Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment. | -| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | - -**Optional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `location` | string | `[resourceGroup().location]` | Location for all resources. | - - -## Outputs - -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The Name of the protected item. | -| `resourceGroupName` | string | The name of the Resource Group the protected item was created in. | -| `resourceId` | string | The resource ID of the protected item. | diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/version.json b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/version.json deleted file mode 100644 index 56f8d9ca40..0000000000 --- a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/version.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" -} diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/readme.md b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/readme.md index 5ca0d767ef..ba3997042b 100644 --- a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/readme.md @@ -1,19 +1,19 @@ -# RecoveryServicesProtectionContainer `[Microsoft.RecoveryServices/vaults/protectionContainers]` +# RecoveryServices Vaults ProtectionContainers `[Microsoft.RecoveryServices/vaults/protectionContainers]` -This module deploys a Protection Container for a Recovery Services Vault +This module deploys RecoveryServices Vaults ProtectionContainers. +// TODO: Replace Resource and fill in description ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupFabrics/protectionContainers) | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-06-01/vaults/backupFabrics/protectionContainers/protectedItems) | +| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupFabrics/protectionContainers) | ## Parameters @@ -34,11 +34,13 @@ This module deploys a Protection Container for a Recovery Services Vault | `containerType` | string | `''` | `[AzureBackupServerContainer, AzureSqlContainer, GenericContainer, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, SQLAGWorkLoadContainer, StorageContainer, VMAppContainer, Windows, ]` | Type of the container. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `friendlyName` | string | `''` | | Friendly name of the Protection Container. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `protectedItems` | _[protectedItems](protectedItems/readme.md)_ array | `[]` | | Protected items to register in the container. | | `sourceResourceId` | string | `''` | | Resource ID of the target resource for the Protection Container. | +### Parameter Usage: `` + +// TODO: Fill in Parameter usage + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.RecoveryServices/vaults/readme.md b/arm/Microsoft.RecoveryServices/vaults/readme.md index a2d46f8587..e3b2d33ff6 100644 --- a/arm/Microsoft.RecoveryServices/vaults/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/readme.md @@ -4,12 +4,12 @@ This module deploys a recovery service vault. ## Navigation -- [Resource types](#Resource-types) +- [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) - [Deployment examples](#Deployment-examples) -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | @@ -17,15 +17,14 @@ This module deploys a recovery service vault. | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.RecoveryServices/vaults` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults) | -| `Microsoft.RecoveryServices/vaults/backupconfig` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-10-01/vaults/backupconfig) | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupFabrics/protectionContainers) | -| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-06-01/vaults/backupFabrics/protectionContainers/protectedItems) | -| `Microsoft.RecoveryServices/vaults/backupPolicies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupPolicies) | -| `Microsoft.RecoveryServices/vaults/backupstorageconfig` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupstorageconfig) | -| `Microsoft.RecoveryServices/vaults/replicationFabrics` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-12-01/vaults/replicationFabrics) | +| `Microsoft.RecoveryServices/vaults/backupconfig` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupconfig) | +| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupFabrics/protectionContainers) | +| `Microsoft.RecoveryServices/vaults/backupPolicies` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupPolicies) | +| `Microsoft.RecoveryServices/vaults/backupstorageconfig` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupstorageconfig) | +| `Microsoft.RecoveryServices/vaults/replicationFabrics` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/replicationFabrics) | | `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-12-01/vaults/replicationFabrics/replicationProtectionContainers) | | `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-12-01/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings) | -| `Microsoft.RecoveryServices/vaults/replicationPolicies` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-12-01/vaults/replicationPolicies) | +| `Microsoft.RecoveryServices/vaults/replicationPolicies` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/replicationPolicies) | ## Parameters diff --git a/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/deploy.bicep index 554d390ddb..48eae21c8d 100644 --- a/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/deploy.bicep @@ -13,7 +13,7 @@ param replicationContainers array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}-rsvPolicy' @@ -27,7 +27,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource replicationFabric 'Microsoft.RecoveryServices/vaults/replicationFabrics@2021-12-01' = { +resource replicationFabric 'Microsoft.RecoveryServices/vaults/replicationFabrics@2022-02-01' = { name: '${recoveryVaultName}/${name}' properties: { customDetails: { @@ -44,7 +44,7 @@ module fabric_replicationContainers 'replicationProtectionContainers/deploy.bice recoveryVaultName: recoveryVaultName replicationFabricName: name replicationContainerMappings: contains(container, 'replicationContainerMappings') ? container.replicationContainerMappings : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ replicationFabric diff --git a/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/readme.md b/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/readme.md index 1c2b29110f..e7b106ddc2 100644 --- a/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/readme.md @@ -14,7 +14,7 @@ This module deploys a Replication Fabric for Azure to Azure disaster recovery sc | Resource Type | API Version | | :-- | :-- | -| `Microsoft.RecoveryServices/vaults/replicationFabrics` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-12-01/vaults/replicationFabrics) | +| `Microsoft.RecoveryServices/vaults/replicationFabrics` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/replicationFabrics) | | `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-12-01/vaults/replicationFabrics/replicationProtectionContainers) | | `Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-12-01/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings) | diff --git a/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/deploy.bicep index 0a6422076a..cd531c8d17 100644 --- a/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/deploy.bicep @@ -13,7 +13,7 @@ param replicationContainerMappings array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}-rsvPolicy' @@ -50,7 +50,7 @@ module fabric_container_containerMappings 'replicationProtectionContainerMapping targetProtectionContainerId: contains(mapping, 'targetProtectionContainerId') ? mapping.targetProtectionContainerId : '' targetContainerFabricName: contains(mapping, 'targetContainerFabricName') ? mapping.targetContainerFabricName : replicationFabricName targetContainerName: contains(mapping, 'targetContainerName') ? mapping.targetContainerName : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ replicationContainer diff --git a/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/deploy.bicep index 42cefe55b9..66bdea2423 100644 --- a/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/deploy.bicep @@ -30,7 +30,7 @@ param enableDefaultTelemetry bool = true var policyResourceId = policyId != '' ? policyId : subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationPolicies', recoveryVaultName, policyName) var targetProtectionContainerResourceId = targetProtectionContainerId != '' ? targetProtectionContainerId : subscriptionResourceId('Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers', recoveryVaultName, targetContainerFabricName, targetContainerName) -var mappingName = !empty(name) ? name : '${sourceProtectionContainerName}-${split(targetProtectionContainerResourceId, '/')[10]}' +var mappingName = name != '' ? name : concat(sourceProtectionContainerName, '-', split(targetProtectionContainerResourceId, '/')[10]) resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}-rsvPolicy' diff --git a/arm/Microsoft.RecoveryServices/vaults/replicationPolicies/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/replicationPolicies/deploy.bicep index 123e2f07ca..2e98ec396a 100644 --- a/arm/Microsoft.RecoveryServices/vaults/replicationPolicies/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/replicationPolicies/deploy.bicep @@ -35,7 +35,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource replicationPolicy 'Microsoft.RecoveryServices/vaults/replicationPolicies@2021-12-01' = { +resource replicationPolicy 'Microsoft.RecoveryServices/vaults/replicationPolicies@2022-02-01' = { name: '${recoveryVaultName}/${name}' properties: { providerSpecificInput: { diff --git a/arm/Microsoft.RecoveryServices/vaults/replicationPolicies/readme.md b/arm/Microsoft.RecoveryServices/vaults/replicationPolicies/readme.md index f5b3f0662e..8f98e9ac0c 100644 --- a/arm/Microsoft.RecoveryServices/vaults/replicationPolicies/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/replicationPolicies/readme.md @@ -14,7 +14,7 @@ This module deploys a Replication Policy for Disaster Recovery scenario. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.RecoveryServices/vaults/replicationPolicies` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-12-01/vaults/replicationPolicies) | +| `Microsoft.RecoveryServices/vaults/replicationPolicies` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/replicationPolicies) | ## Parameters diff --git a/arm/Microsoft.Resources/deploymentScripts/.parameters/ps.parameters.json b/arm/Microsoft.Resources/deploymentScripts/.parameters/ps.parameters.json index accc14b0b0..9f780f49a5 100644 --- a/arm/Microsoft.Resources/deploymentScripts/.parameters/ps.parameters.json +++ b/arm/Microsoft.Resources/deploymentScripts/.parameters/ps.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-ds-ps-001" }, - "lock": { - "value": "CanNotDelete" - }, "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} diff --git a/arm/Microsoft.Resources/deploymentScripts/deploy.bicep b/arm/Microsoft.Resources/deploymentScripts/deploy.bicep index 823f3a28f4..a221e96143 100644 --- a/arm/Microsoft.Resources/deploymentScripts/deploy.bicep +++ b/arm/Microsoft.Resources/deploymentScripts/deploy.bicep @@ -59,12 +59,12 @@ param timeout string = 'PT1H' param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -117,11 +117,11 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { } } -resource deploymentScript_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource deploymentScript_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${deploymentScript.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: deploymentScript } diff --git a/arm/Microsoft.Resources/deploymentScripts/readme.md b/arm/Microsoft.Resources/deploymentScripts/readme.md index 7d67cd731e..4dc931953d 100644 --- a/arm/Microsoft.Resources/deploymentScripts/readme.md +++ b/arm/Microsoft.Resources/deploymentScripts/readme.md @@ -36,7 +36,7 @@ This module deploys a deployment script. | `environmentVariables` | array | `[]` | | The environment variables to pass over to the script. Must have a 'name' and a 'value' or a 'secretValue' property. | | `kind` | string | `'AzurePowerShell'` | `[AzurePowerShell, AzureCLI]` | Type of the script. AzurePowerShell, AzureCLI. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `primaryScriptUri` | string | `''` | | Uri for the external script. This is the entry point for the external script. To run an internal script, use the scriptContent instead. | | `retentionInterval` | string | `'P1D'` | | Interval for which the service retains the script resource after it reaches a terminal state. Resource will be deleted when this duration expires. Duration is based on ISO 8601 pattern (for example P7D means one week). | | `runOnce` | bool | `False` | | When set to false, script will run every time the template is deployed. When set to true, the script will only run once. | @@ -227,9 +227,6 @@ module deploymentScripts './Microsoft.Resources/deploymentScripts/deploy.bicep' "name": { "value": "<>-az-ds-ps-001" }, - "lock": { - "value": "CanNotDelete" - }, "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} @@ -272,7 +269,6 @@ module deploymentScripts './Microsoft.Resources/deploymentScripts/deploy.bicep' name: '${uniqueString(deployment().name)}-deploymentScripts' params: { name: '<>-az-ds-ps-001' - lock: 'CanNotDelete' userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} } diff --git a/arm/Microsoft.Resources/resourceGroups/.bicep/nested_lock.bicep b/arm/Microsoft.Resources/resourceGroups/.bicep/nested_lock.bicep index 96d0f4c23b..c3f8915657 100644 --- a/arm/Microsoft.Resources/resourceGroups/.bicep/nested_lock.bicep +++ b/arm/Microsoft.Resources/resourceGroups/.bicep/nested_lock.bicep @@ -1,26 +1,31 @@ -@description('Optional. The name of the lock.') -param name string = '${level}-lock' +@description('Optional. The name of the Lock') +param name string = '' @allowed([ 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) -@description('Required. Set lock level.') -param level string +@description('Optional. Set lock level.') +param level string = 'NotSpecified' -@description('Optional. The decription attached to the lock.') -param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' +var lockNotes = { + CanNotDelete: 'Cannot delete resource or child resources.' + ReadOnly: 'Cannot modify the resource or child resources.' +} + +var lockName = empty(name) ? '${level}-lock' : name -resource lock 'Microsoft.Authorization/locks@2017-04-01' = { - name: name +resource lock 'Microsoft.Authorization/locks@2017-04-01' = if (level != 'NotSpecified') { + name: lockName properties: { level: level - notes: notes + notes: lockNotes[level] } } -@description('The resource ID of the lock.') +@description('The resource ID of the lock') output resourceId string = lock.id -@description('The name of the lock.') +@description('The name of the lock') output name string = lock.name diff --git a/arm/Microsoft.Resources/resourceGroups/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Resources/resourceGroups/.bicep/nested_rbac.bicep similarity index 99% rename from arm/Microsoft.Resources/resourceGroups/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Resources/resourceGroups/.bicep/nested_rbac.bicep index aec6bf8af7..156827f084 100644 --- a/arm/Microsoft.Resources/resourceGroups/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Resources/resourceGroups/.bicep/nested_rbac.bicep @@ -203,6 +203,6 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } }] diff --git a/arm/Microsoft.Resources/resourceGroups/.parameters/parameters.json b/arm/Microsoft.Resources/resourceGroups/.parameters/parameters.json index a132c26376..3be494132c 100644 --- a/arm/Microsoft.Resources/resourceGroups/.parameters/parameters.json +++ b/arm/Microsoft.Resources/resourceGroups/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-rg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "tags": { "value": { "Test": "Yes" diff --git a/arm/Microsoft.Resources/resourceGroups/deploy.bicep b/arm/Microsoft.Resources/resourceGroups/deploy.bicep index d833f6e1cc..81f31d26bc 100644 --- a/arm/Microsoft.Resources/resourceGroups/deploy.bicep +++ b/arm/Microsoft.Resources/resourceGroups/deploy.bicep @@ -7,12 +7,12 @@ param name string param location string = deployment().location @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -43,16 +43,16 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2019-05-01' = { properties: {} } -module resourceGroup_lock '.bicep/nested_lock.bicep' = if (!empty(lock)) { - name: '${uniqueString(deployment().name, location)}-${lock}-Lock' +module resourceGroup_lock '.bicep/nested_lock.bicep' = if (lock != 'NotSpecified') { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-RG-${lock}-Lock' params: { - level: any(lock) name: '${resourceGroup.name}-${lock}-lock' + level: lock } - scope: resourceGroup } -module resourceGroup_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module resourceGroup_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-RG-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Resources/resourceGroups/readme.md b/arm/Microsoft.Resources/resourceGroups/readme.md index 46bc18871f..dc6cb908a1 100644 --- a/arm/Microsoft.Resources/resourceGroups/readme.md +++ b/arm/Microsoft.Resources/resourceGroups/readme.md @@ -30,7 +30,7 @@ This module deploys a resource group. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[deployment().location]` | | Location of the Resource Group. It uses the deployment's location when not provided. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the storage account resource. | @@ -163,9 +163,6 @@ This module requires a User Assigned Identity (MSI, managed service identity) to "name": { "value": "<>-az-rg-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "tags": { "value": { "Test": "Yes" @@ -197,7 +194,6 @@ module resourceGroups './Microsoft.Resources/resourceGroups/deploy.bicep' = { name: '${uniqueString(deployment().name)}-resourceGroups' params: { name: '<>-az-rg-x-001' - lock: 'CanNotDelete' tags: { Test: 'Yes' } diff --git a/arm/Microsoft.Resources/tags/deploy.bicep b/arm/Microsoft.Resources/tags/deploy.bicep index 146c2c57c1..6fb849e37c 100644 --- a/arm/Microsoft.Resources/tags/deploy.bicep +++ b/arm/Microsoft.Resources/tags/deploy.bicep @@ -18,7 +18,7 @@ param location string = deployment().location @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -39,7 +39,7 @@ module tags_sub 'subscriptions/deploy.bicep' = if (!empty(subscriptionId) && emp onlyUpdate: onlyUpdate tags: tags location: location - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -49,7 +49,7 @@ module tags_rg 'resourceGroups/deploy.bicep' = if (!empty(resourceGroupName) && params: { onlyUpdate: onlyUpdate tags: tags - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Security/azureSecurityCenter/deploy.bicep b/arm/Microsoft.Security/azureSecurityCenter/deploy.bicep index 5987272f88..b72892858d 100644 --- a/arm/Microsoft.Security/azureSecurityCenter/deploy.bicep +++ b/arm/Microsoft.Security/azureSecurityCenter/deploy.bicep @@ -119,61 +119,6 @@ param securityContactProperties object = {} @description('Optional. Location deployment metadata.') param location string = deployment().location -var pricings = [ - { - name: 'VirtualMachines' - pricingTier: virtualMachinesPricingTier - } - { - name: 'SqlServers' - pricingTier: sqlServersPricingTier - } - { - name: 'AppServices' - pricingTier: appServicesPricingTier - } - { - name: 'StorageAccounts' - pricingTier: storageAccountsPricingTier - } - { - name: 'SqlServerVirtualMachines' - pricingTier: sqlServerVirtualMachinesPricingTier - } - { - name: 'KubernetesService' - pricingTier: kubernetesServicePricingTier - } - { - name: 'ContainerRegistry' - pricingTier: containerRegistryPricingTier - } - { - name: 'KeyVaults' - pricingTier: keyVaultsPricingTier - } - { - name: 'Dns' - pricingTier: dnsPricingTier - } - { - name: 'Arm' - pricingTier: armPricingTier - } - { - name: 'OpenSourceRelationalDatabases' - pricingTier: openSourceRelationalDatabasesTier - } - { - name: 'Containers' - pricingTier: containersTier - } - { - name: 'CosmosDbs' - pricingTier: cosmosDbsTier - } -] - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' location: location @@ -187,13 +132,6 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource pricingTiers 'Microsoft.Security/pricings@2018-06-01' = [for (pricing, index) in pricings: { - name: pricing.name - properties: { - pricingTier: pricing.pricingTier - } -}] - resource autoProvisioningSettings 'Microsoft.Security/autoProvisioningSettings@2017-08-01-preview' = { name: 'default' properties: { @@ -219,6 +157,97 @@ module iotSecuritySolutions '.bicep/nested_iotSecuritySolutions.bicep' = if (!em } } +resource VirtualMachinesPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'VirtualMachines' + properties: { + pricingTier: virtualMachinesPricingTier + } +} + +resource SqlServersPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'SqlServers' + properties: { + pricingTier: sqlServersPricingTier + } +} + +resource AppServicesPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'AppServices' + properties: { + pricingTier: appServicesPricingTier + } +} + +resource StorageAccountsPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'StorageAccounts' + properties: { + pricingTier: storageAccountsPricingTier + } +} + +resource SqlServerVirtualMachinesPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'SqlServerVirtualMachines' + properties: { + pricingTier: sqlServerVirtualMachinesPricingTier + } +} + +resource KubernetesServicePricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'KubernetesService' + properties: { + pricingTier: kubernetesServicePricingTier + } +} + +resource ContainerRegistryPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'ContainerRegistry' + properties: { + pricingTier: containerRegistryPricingTier + } +} + +resource KeyVaultsPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'KeyVaults' + properties: { + pricingTier: keyVaultsPricingTier + } +} + +resource DnsPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'Dns' + properties: { + pricingTier: dnsPricingTier + } +} + +resource ArmPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'Arm' + properties: { + pricingTier: armPricingTier + } +} + +resource OpenSourceRelationalDatabasesPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'OpenSourceRelationalDatabases' + properties: { + pricingTier: openSourceRelationalDatabasesTier + } +} + +resource ContainersPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'Containers' + properties: { + pricingTier: containersTier + } +} + +resource CosmosDbsPricingTier 'Microsoft.Security/pricings@2018-06-01' = { + name: 'CosmosDbs' + properties: { + pricingTier: cosmosDbsTier + } +} + resource securityContacts 'Microsoft.Security/securityContacts@2017-08-01-preview' = if (!empty(securityContactProperties)) { name: 'securityContacts' properties: { @@ -240,8 +269,5 @@ resource workspaceSettings 'Microsoft.Security/workspaceSettings@2017-08-01-prev ] } -@description('The resource ID of the used log analytics workspace.') +@description('The resource IDs of the used log analytics workspace.') output workspaceId string = workspaceId - -@description('The name of the security center.') -output name string = 'Security' diff --git a/arm/Microsoft.Security/azureSecurityCenter/readme.md b/arm/Microsoft.Security/azureSecurityCenter/readme.md index c459724911..5fc8168201 100644 --- a/arm/Microsoft.Security/azureSecurityCenter/readme.md +++ b/arm/Microsoft.Security/azureSecurityCenter/readme.md @@ -91,8 +91,7 @@ securityContactProperties: { | Output Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the security center. | -| `workspaceId` | string | The resource ID of the used log analytics workspace. | +| `workspaceId` | string | The resource IDs of the used log analytics workspace. | ## Deployment examples diff --git a/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep b/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep new file mode 100644 index 0000000000..d1381aa576 --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep @@ -0,0 +1,49 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpoint object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: contains(privateEndpoint, 'name') ? (empty(privateEndpoint.name) ? '${privateEndpointResourceName}-${privateEndpoint.service}' : privateEndpoint.name) : '${privateEndpointResourceName}-${privateEndpoint.service}' + subnetResourceId: privateEndpoint.subnetResourceId + service: [ + privateEndpoint.service + ] + privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? (empty(privateEndpoint.privateDnsZoneResourceIds) ? [] : privateEndpoint.privateDnsZoneResourceIds) : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? (empty(privateEndpoint.customDnsConfigs) ? null : privateEndpoint.customDnsConfigs) : null +} + +resource privateEndpoint_name 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } + + resource privateEndpoint_name_default 'privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: 'default' + properties: { + privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { + name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) + properties: { + privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] + } + }] + } + } +} diff --git a/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.ServiceBus/namespaces/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.ServiceBus/namespaces/.bicep/nested_rbac.bicep index 24ee49e11f..5f603b7cfa 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: namespace }] diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index 33c0288e8c..6a1694eee9 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-sbn-x-002" }, - "lock": { - "value": "CanNotDelete" - }, "skuName": { "value": "Premium" }, @@ -154,14 +151,6 @@ "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "namespace" - } - ] } } } diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index d84954cc60..afb2096942 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -58,12 +58,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false @@ -141,7 +141,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -175,7 +175,7 @@ module serviceBusNamespace_disasterRecoveryConfig 'disasterRecoveryConfigs/deplo name: contains(disasterRecoveryConfigs, 'name') ? disasterRecoveryConfigs.name : 'default' alternateName: contains(disasterRecoveryConfigs, 'alternateName') ? disasterRecoveryConfigs.alternateName : '' partnerNamespaceResourceID: contains(disasterRecoveryConfigs, 'partnerNamespace') ? disasterRecoveryConfigs.partnerNamespace : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -186,7 +186,7 @@ module serviceBusNamespace_migrationConfigurations 'migrationConfigurations/depl name: contains(migrationConfigurations, 'name') ? migrationConfigurations.name : '$default' postMigrationName: migrationConfigurations.postMigrationName targetNamespaceResourceId: migrationConfigurations.targetNamespace - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -196,7 +196,7 @@ module serviceBusNamespace_virtualNetworkRules 'virtualNetworkRules/deploy.bicep namespaceName: serviceBusNamespace.name name: last(split(virtualNetworkRule, '/')) virtualNetworkSubnetId: virtualNetworkRule - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -206,7 +206,7 @@ module serviceBusNamespace_authorizationRules 'authorizationRules/deploy.bicep' namespaceName: serviceBusNamespace.name name: authorizationRule.name rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -218,7 +218,7 @@ module serviceBusNamespace_ipFilterRules 'ipFilterRules/deploy.bicep' = [for (ip action: ipFilterRule.action filterName: ipFilterRule.filterName ipMask: ipFilterRule.ipMask - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -243,7 +243,7 @@ module serviceBusNamespace_queues 'queues/deploy.bicep' = [for (queue, index) in enableBatchedOperations: contains(queue, 'enableBatchedOperations') ? queue.enableBatchedOperations : true enableExpress: contains(queue, 'enableExpress') ? queue.enableExpress : false enablePartitioning: contains(queue, 'enablePartitioning') ? queue.enablePartitioning : false - lock: contains(queue, 'lock') ? queue.lock : '' + lock: contains(queue, 'lock') ? queue.lock : 'NotSpecified' lockDuration: contains(queue, 'lockDuration') ? queue.lockDuration : 'PT1M' maxDeliveryCount: contains(queue, 'maxDeliveryCount') ? queue.maxDeliveryCount : 10 maxSizeInMegabytes: contains(queue, 'maxSizeInMegabytes') ? queue.maxSizeInMegabytes : 1024 @@ -251,7 +251,7 @@ module serviceBusNamespace_queues 'queues/deploy.bicep' = [for (queue, index) in requiresSession: contains(queue, 'requiresSession') ? queue.requiresSession : false roleAssignments: contains(queue, 'roleAssignments') ? queue.roleAssignments : [] status: contains(queue, 'status') ? queue.status : 'Active' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -276,21 +276,21 @@ module serviceBusNamespace_topics 'topics/deploy.bicep' = [for (topic, index) in enableBatchedOperations: contains(topic, 'enableBatchedOperations') ? topic.enableBatchedOperations : true enableExpress: contains(topic, 'enableExpress') ? topic.enableExpress : false enablePartitioning: contains(topic, 'enablePartitioning') ? topic.enablePartitioning : false - lock: contains(topic, 'lock') ? topic.lock : '' + lock: contains(topic, 'lock') ? topic.lock : 'NotSpecified' maxMessageSizeInKilobytes: contains(topic, 'maxMessageSizeInKilobytes') ? topic.maxMessageSizeInKilobytes : 1024 maxSizeInMegabytes: contains(topic, 'maxSizeInMegabytes') ? topic.maxSizeInMegabytes : 1024 requiresDuplicateDetection: contains(topic, 'requiresDuplicateDetection') ? topic.requiresDuplicateDetection : false roleAssignments: contains(topic, 'roleAssignments') ? topic.roleAssignments : [] status: contains(topic, 'status') ? topic.status : 'Active' supportOrdering: contains(topic, 'supportOrdering') ? topic.supportOrdering : false - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource serviceBusNamespace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource serviceBusNamespace_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${serviceBusNamespace.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: serviceBusNamespace @@ -309,27 +309,17 @@ resource serviceBusNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticSe scope: serviceBusNamespace } -module serviceBusNamespace_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Namespace-PrivateEndpoint-${index}' +module serviceBusNamespace_privateEndpoints '.bicep/nested_privateEndpoints.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(serviceBusNamespace.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: serviceBusNamespace.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: serviceBusNamespace.id + privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + privateEndpoint: privateEndpoint + tags: tags } }] -module serviceBusNamespace_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module serviceBusNamespace_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.ServiceBus/namespaces/queues/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.ServiceBus/namespaces/queues/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.ServiceBus/namespaces/queues/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.ServiceBus/namespaces/queues/.bicep/nested_rbac.bicep index 573648e0a5..045b026dda 100644 --- a/arm/Microsoft.ServiceBus/namespaces/queues/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/queues/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssigment 'Microsoft.Authorization/roleAssignments@2020-10-01-previ description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: queue }] diff --git a/arm/Microsoft.ServiceBus/namespaces/queues/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/queues/deploy.bicep index a43ed6795c..a6f9d94625 100644 --- a/arm/Microsoft.ServiceBus/namespaces/queues/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/queues/deploy.bicep @@ -70,12 +70,12 @@ param authorizationRules array = [ ] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -83,7 +83,7 @@ param roleAssignments array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -127,20 +127,20 @@ module queue_authorizationRules 'authorizationRules/deploy.bicep' = [for (author queueName: queue.name name: authorizationRule.name rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource queue_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource queue_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${queue.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: queue } -module queue_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module queue_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.ServiceBus/namespaces/queues/readme.md b/arm/Microsoft.ServiceBus/namespaces/queues/readme.md index cc99507252..c6a5aed92c 100644 --- a/arm/Microsoft.ServiceBus/namespaces/queues/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/queues/readme.md @@ -40,7 +40,7 @@ This module deploys a queue for a service bus namespace. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `enableExpress` | bool | `False` | | A value that indicates whether Express Entities are enabled. An express queue holds a message in memory temporarily before writing it to persistent storage. | | `enablePartitioning` | bool | `False` | | A value that indicates whether the queue is to be partitioned across multiple message brokers. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `lockDuration` | string | `'PT1M'` | | ISO 8601 timespan duration of a peek-lock; that is, the amount of time that the message is locked for other receivers. The maximum value for LockDuration is 5 minutes; the default value is 1 minute. | | `maxDeliveryCount` | int | `10` | | The maximum delivery count. A message is automatically deadlettered after this number of deliveries. default value is 10. | | `maxSizeInMegabytes` | int | `1024` | | The maximum size of the queue in megabytes, which is the size of memory allocated for the queue. Default is 1024. | diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 55a6e88415..6e1304f01d 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -52,7 +52,7 @@ This module deploys a service bus namespace resource. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `ipFilterRules` | _[ipFilterRules](ipFilterRules/readme.md)_ array | `[]` | | IP Filter Rules for the Service Bus namespace. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `migrationConfigurations` | _[migrationConfigurations](migrationConfigurations/readme.md)_ object | `{object}` | | The migration configuration. | | `name` | string | `''` | | Name of the Service Bus Namespace. If no name is provided, then unique name will be created. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | @@ -339,9 +339,6 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "name": { "value": "<>-az-sbn-x-002" }, - "lock": { - "value": "CanNotDelete" - }, "skuName": { "value": "Premium" }, @@ -488,14 +485,6 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "namespace" - } - ] } } } @@ -513,7 +502,6 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { name: '<>-az-sbn-x-002' - lock: 'CanNotDelete' skuName: 'Premium' tags: {} roleAssignments: [ @@ -627,12 +615,6 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} } - privateEndpoints: [ - { - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' - service: 'namespace' - } - ] } ``` diff --git a/arm/Microsoft.ServiceBus/namespaces/topics/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.ServiceBus/namespaces/topics/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.ServiceBus/namespaces/topics/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.ServiceBus/namespaces/topics/.bicep/nested_rbac.bicep index b67f08e3e0..c28c75ad88 100644 --- a/arm/Microsoft.ServiceBus/namespaces/topics/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/topics/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssigment 'Microsoft.Authorization/roleAssignments@2020-10-01-previ description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: topic }] diff --git a/arm/Microsoft.ServiceBus/namespaces/topics/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/topics/deploy.bicep index e88f0c7830..97fc4780ba 100644 --- a/arm/Microsoft.ServiceBus/namespaces/topics/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/topics/deploy.bicep @@ -67,12 +67,12 @@ param authorizationRules array = [ ] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -80,7 +80,7 @@ param roleAssignments array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -123,20 +123,20 @@ module topic_authorizationRules 'authorizationRules/deploy.bicep' = [for (author topicName: topic.name name: authorizationRule.name rights: contains(authorizationRule, 'rights') ? authorizationRule.rights : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -resource topic_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource topic_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${topic.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: topic } -module topic_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module topic_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.ServiceBus/namespaces/topics/readme.md b/arm/Microsoft.ServiceBus/namespaces/topics/readme.md index f0d768ddde..c4b599db5e 100644 --- a/arm/Microsoft.ServiceBus/namespaces/topics/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/topics/readme.md @@ -40,7 +40,7 @@ This module deploys a topic for a service bus namespace. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `enableExpress` | bool | `False` | | A value that indicates whether Express Entities are enabled. An express topic holds a message in memory temporarily before writing it to persistent storage. | | `enablePartitioning` | bool | `False` | | A value that indicates whether the topic is to be partitioned across multiple message brokers. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maxMessageSizeInKilobytes` | int | `1024` | | Maximum size (in KB) of the message payload that can be accepted by the topic. This property is only used in Premium today and default is 1024. | | `maxSizeInMegabytes` | int | `1024` | | The maximum size of the topic in megabytes, which is the size of memory allocated for the topic. Default is 1024. | | `requiresDuplicateDetection` | bool | `False` | | A value indicating if this topic requires duplicate detection. | diff --git a/arm/Microsoft.ServiceFabric/clusters/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.ServiceFabric/clusters/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.ServiceFabric/clusters/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.ServiceFabric/clusters/.bicep/nested_rbac.bicep index b7325ee782..3f9624ba43 100644 --- a/arm/Microsoft.ServiceFabric/clusters/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.ServiceFabric/clusters/.bicep/nested_rbac.bicep @@ -47,7 +47,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: serviceFabricCluster }] diff --git a/arm/Microsoft.ServiceFabric/clusters/.parameters/full.parameters.json b/arm/Microsoft.ServiceFabric/clusters/.parameters/full.parameters.json index 46c19ee885..6a7a61614e 100644 --- a/arm/Microsoft.ServiceFabric/clusters/.parameters/full.parameters.json +++ b/arm/Microsoft.ServiceFabric/clusters/.parameters/full.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-sfc-full-001" }, - "lock": { - "value": "CanNotDelete" - }, "tags": { "value": { "resourceType": "Service Fabric", diff --git a/arm/Microsoft.ServiceFabric/clusters/deploy.bicep b/arm/Microsoft.ServiceFabric/clusters/deploy.bicep index 535894f72c..f65b959456 100644 --- a/arm/Microsoft.ServiceFabric/clusters/deploy.bicep +++ b/arm/Microsoft.ServiceFabric/clusters/deploy.bicep @@ -8,12 +8,12 @@ param location string = resourceGroup().location param tags object = {} @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -135,7 +135,7 @@ param roleAssignments array = [] @description('Optional. Array of Service Fabric cluster application types.') param applicationTypes array = [] -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false var clientCertificateCommonNames_var = [for clientCertificateCommonName in clientCertificateCommonNames: { certificateCommonName: contains(clientCertificateCommonName, 'certificateCommonName') ? clientCertificateCommonName.certificateCommonName : null @@ -280,17 +280,17 @@ resource serviceFabricCluster 'Microsoft.ServiceFabric/clusters@2021-06-01' = { } // Service Fabric cluster resource lock -resource serviceFabricCluster_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource serviceFabricCluster_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${serviceFabricCluster.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: serviceFabricCluster } // Service Fabric cluster RBAC assignment -module serviceFabricCluster_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module serviceFabricCluster_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-ServiceFabric-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -308,7 +308,7 @@ module serviceFabricCluster_applicationTypes 'applicationTypes/deploy.bicep' = [ name: applicationType.name serviceFabricClusterName: serviceFabricCluster.name tags: contains(applicationType, 'tags') ? applicationType.tags : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.ServiceFabric/clusters/readme.md b/arm/Microsoft.ServiceFabric/clusters/readme.md index 51e8917772..4457ae8a32 100644 --- a/arm/Microsoft.ServiceFabric/clusters/readme.md +++ b/arm/Microsoft.ServiceFabric/clusters/readme.md @@ -45,7 +45,7 @@ This module deploys a Service Fabric Cluster. | `fabricSettings` | array | `[]` | | The list of custom fabric settings to configure the cluster. | | `infrastructureServiceManager` | bool | `False` | | Indicates if infrastructure service manager is enabled. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `notifications` | array | `[]` | | Indicates a list of notification channels for cluster events. | | `reliabilityLevel` | string | | `[Bronze, Gold, None, Platinum, Silver]` | The reliability level sets the replica set size of system services. Learn about ReliabilityLevel (https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-capacity). - None - Run the System services with a target replica set count of 1. This should only be used for test clusters. - Bronze - Run the System services with a target replica set count of 3. This should only be used for test clusters. - Silver - Run the System services with a target replica set count of 5. - Gold - Run the System services with a target replica set count of 7. - Platinum - Run the System services with a target replica set count of 9. | | `reverseProxyCertificate` | object | `{object}` | | Describes the certificate details. | @@ -332,9 +332,6 @@ module clusters './Microsoft.ServiceFabric/clusters/deploy.bicep' = { "name": { "value": "<>-az-sfc-full-001" }, - "lock": { - "value": "CanNotDelete" - }, "tags": { "value": { "resourceType": "Service Fabric", @@ -547,7 +544,6 @@ module clusters './Microsoft.ServiceFabric/clusters/deploy.bicep' = { name: '${uniqueString(deployment().name)}-clusters' params: { name: '<>-az-sfc-full-001' - lock: 'CanNotDelete' tags: { resourceType: 'Service Fabric' clusterName: '<>-az-sfc-full-001' diff --git a/arm/Microsoft.Sql/managedInstances/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Sql/managedInstances/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Sql/managedInstances/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Sql/managedInstances/.bicep/nested_rbac.bicep index 63cd145815..dde02de6db 100644 --- a/arm/Microsoft.Sql/managedInstances/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Sql/managedInstances/.bicep/nested_rbac.bicep @@ -50,7 +50,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: managedInstance }] diff --git a/arm/Microsoft.Sql/managedInstances/.parameters/parameters.json b/arm/Microsoft.Sql/managedInstances/.parameters/parameters.json index 7435419747..d6eef2990f 100644 --- a/arm/Microsoft.Sql/managedInstances/.parameters/parameters.json +++ b/arm/Microsoft.Sql/managedInstances/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-sqlmi-x-002" }, - "lock": { - "value": "CanNotDelete" - }, "administratorLogin": { "reference": { "keyVault": { diff --git a/arm/Microsoft.Sql/managedInstances/databases/deploy.bicep b/arm/Microsoft.Sql/managedInstances/databases/deploy.bicep index 32d9bbd5af..3926211258 100644 --- a/arm/Microsoft.Sql/managedInstances/databases/deploy.bicep +++ b/arm/Microsoft.Sql/managedInstances/databases/deploy.bicep @@ -62,12 +62,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. The configuration for the backup short term retention policy definition.') param backupShortTermRetentionPoliciesObj object = {} @@ -107,7 +107,7 @@ var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { } }] -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -144,11 +144,11 @@ resource database 'Microsoft.Sql/managedInstances/databases@2021-05-01-preview' } } -resource database_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource database_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${last(split(database.name, '/'))}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: database } @@ -172,7 +172,7 @@ module database_backupShortTermRetentionPolicy 'backupShortTermRetentionPolicies databaseName: last(split(database.name, '/')) name: backupShortTermRetentionPoliciesObj.name retentionDays: contains(backupShortTermRetentionPoliciesObj, 'retentionDays') ? backupShortTermRetentionPoliciesObj.retentionDays : 35 - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -186,7 +186,7 @@ module database_backupLongTermRetentionPolicy 'backupLongTermRetentionPolicies/d weeklyRetention: contains(backupLongTermRetentionPoliciesObj, 'weeklyRetention') ? backupLongTermRetentionPoliciesObj.weeklyRetention : 'P1M' monthlyRetention: contains(backupLongTermRetentionPoliciesObj, 'monthlyRetention') ? backupLongTermRetentionPoliciesObj.monthlyRetention : 'P1Y' yearlyRetention: contains(backupLongTermRetentionPoliciesObj, 'yearlyRetention') ? backupLongTermRetentionPoliciesObj.yearlyRetention : 'P5Y' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Sql/managedInstances/databases/readme.md b/arm/Microsoft.Sql/managedInstances/databases/readme.md index ae3f798df1..93c47c5572 100644 --- a/arm/Microsoft.Sql/managedInstances/databases/readme.md +++ b/arm/Microsoft.Sql/managedInstances/databases/readme.md @@ -57,7 +57,7 @@ The SQL Managed Instance Database is deployed on a SQL Managed Instance. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `restorableDroppedDatabaseId` | string | `''` | | The restorable dropped database resource ID to restore when creating this database. | | `tags` | object | `{object}` | | Tags of the resource. | diff --git a/arm/Microsoft.Sql/managedInstances/deploy.bicep b/arm/Microsoft.Sql/managedInstances/deploy.bicep index f8ecf40024..8e71c4c829 100644 --- a/arm/Microsoft.Sql/managedInstances/deploy.bicep +++ b/arm/Microsoft.Sql/managedInstances/deploy.bicep @@ -100,12 +100,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -199,7 +199,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -248,11 +248,11 @@ resource managedInstance 'Microsoft.Sql/managedInstances@2021-05-01-preview' = { } } -resource managedInstance_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource managedInstance_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${managedInstance.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: managedInstance } @@ -270,7 +270,7 @@ resource managedInstance_diagnosticSettings 'Microsoft.Insights/diagnosticsettin scope: managedInstance } -module managedInstance_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module managedInstance_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-SqlMi-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -294,7 +294,7 @@ module managedInstance_databases 'databases/deploy.bicep' = [for (database, inde diagnosticEventHubAuthorizationRuleId: contains(database, 'diagnosticEventHubAuthorizationRuleId') ? database.diagnosticEventHubAuthorizationRuleId : '' diagnosticEventHubName: contains(database, 'diagnosticEventHubName') ? database.diagnosticEventHubName : '' location: contains(database, 'location') ? database.location : managedInstance.location - lock: contains(database, 'lock') ? database.lock : '' + lock: contains(database, 'lock') ? database.lock : lock longTermRetentionBackupResourceId: contains(database, 'longTermRetentionBackupResourceId') ? database.longTermRetentionBackupResourceId : '' recoverableDatabaseId: contains(database, 'recoverableDatabaseId') ? database.recoverableDatabaseId : '' restorableDroppedDatabaseId: contains(database, 'restorableDroppedDatabaseId') ? database.restorableDroppedDatabaseId : '' @@ -306,7 +306,7 @@ module managedInstance_databases 'databases/deploy.bicep' = [for (database, inde diagnosticWorkspaceId: contains(database, 'diagnosticWorkspaceId') ? database.diagnosticWorkspaceId : '' backupShortTermRetentionPoliciesObj: contains(database, 'backupShortTermRetentionPolicies') ? database.backupShortTermRetentionPolicies : {} backupLongTermRetentionPoliciesObj: contains(database, 'backupLongTermRetentionPolicies') ? database.backupLongTermRetentionPolicies : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -317,7 +317,7 @@ module managedInstance_securityAlertPolicy 'securityAlertPolicies/deploy.bicep' name: securityAlertPoliciesObj.name emailAccountAdmins: contains(securityAlertPoliciesObj, 'emailAccountAdmins') ? securityAlertPoliciesObj.emailAccountAdmins : false state: contains(securityAlertPoliciesObj, 'state') ? securityAlertPoliciesObj.state : 'Disabled' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -330,7 +330,7 @@ module managedInstance_vulnerabilityAssessment 'vulnerabilityAssessments/deploy. recurringScansEmailSubscriptionAdmins: contains(vulnerabilityAssessmentsObj, 'recurringScansEmailSubscriptionAdmins') ? vulnerabilityAssessmentsObj.recurringScansEmailSubscriptionAdmins : false recurringScansIsEnabled: contains(vulnerabilityAssessmentsObj, 'recurringScansIsEnabled') ? vulnerabilityAssessmentsObj.recurringScansIsEnabled : false vulnerabilityAssessmentsStorageAccountId: contains(vulnerabilityAssessmentsObj, 'vulnerabilityAssessmentsStorageAccountId') ? vulnerabilityAssessmentsObj.vulnerabilityAssessmentsStorageAccountId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ managedInstance_securityAlertPolicy @@ -344,7 +344,7 @@ module managedInstance_key 'keys/deploy.bicep' = [for (key, index) in keys: { name: contains(key, 'name') ? key.name : '' serverKeyType: contains(key, 'serverKeyType') ? key.serverKeyType : 'ServiceManaged' uri: contains(key, 'uri') ? key.uri : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -356,7 +356,7 @@ module managedInstance_encryptionProtector 'encryptionProtector/deploy.bicep' = name: contains(encryptionProtectorObj, 'name') ? encryptionProtectorObj.serverKeyType : 'current' serverKeyType: contains(encryptionProtectorObj, 'serverKeyType') ? encryptionProtectorObj.serverKeyType : 'ServiceManaged' autoRotationEnabled: contains(encryptionProtectorObj, 'autoRotationEnabled') ? encryptionProtectorObj.autoRotationEnabled : true - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -367,7 +367,7 @@ module managedInstance_administrator 'administrators/deploy.bicep' = if (!empty( login: administratorsObj.name sid: administratorsObj.sid tenantId: contains(administratorsObj, 'tenantId') ? administratorsObj.tenantId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Sql/managedInstances/readme.md b/arm/Microsoft.Sql/managedInstances/readme.md index b420c4df0d..a6f438c200 100644 --- a/arm/Microsoft.Sql/managedInstances/readme.md +++ b/arm/Microsoft.Sql/managedInstances/readme.md @@ -75,7 +75,7 @@ SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://docs.m | `keys` | _[keys](keys/readme.md)_ array | `[]` | | The keys to configure. | | `licenseType` | string | `'LicenseIncluded'` | `[LicenseIncluded, BasePrice]` | The license type. Possible values are 'LicenseIncluded' (regular price inclusive of a new SQL license) and 'BasePrice' (discounted AHB price for bringing your own SQL licenses). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `managedInstanceCreateMode` | string | `'Default'` | `[Default, PointInTimeRestore]` | Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | | `proxyOverride` | string | `'Proxy'` | `[Proxy, Redirect, Default]` | Connection type used for connecting to the instance. | | `publicDataEndpointEnabled` | bool | `False` | | Whether or not the public data endpoint is enabled. | @@ -288,9 +288,6 @@ userAssignedIdentities: { "name": { "value": "<>-az-sqlmi-x-002" }, - "lock": { - "value": "CanNotDelete" - }, "administratorLogin": { "reference": { "keyVault": { @@ -450,9 +447,38 @@ module managedInstances './Microsoft.Sql/managedInstances/deploy.bicep' = { name: '${uniqueString(deployment().name)}-managedInstances' params: { name: '<>-az-sqlmi-x-002' - lock: 'CanNotDelete' - administratorLogin: kv1.getSecret('administratorLogin') - administratorLoginPassword: kv1.getSecret('administratorLoginPassword') + administratorLogin: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'administratorLogin' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] + administratorLoginPassword: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'administratorLoginPassword' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] subnetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-sqlmi/subnets/<>-az-subnet-x-sqlmi' skuName: 'GP_Gen5' skuTier: 'GeneralPurpose' diff --git a/arm/Microsoft.Sql/servers/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Sql/servers/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..7af99c7273 --- /dev/null +++ b/arm/Microsoft.Sql/servers/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,58 @@ +@description('The resource ID of the service to link to') +param privateEndpointResourceId string + +@description('Required. The location of the proviate endpoint') +param privateEndpointVnetLocation string + +@description('Optional. Tags to add to the private endpoint.') +param tags object = {} + +@description('Optional. The name of the private endpoint') +param name string = '${last(split(privateEndpointResourceId, '/'))}-${service}' + +@description('Required. The service/groupId his private endpoint should connect to') +param service string = 'sqlServer' + +@description('Required. Subnet in a virtual network resource.') +param subnetResourceId string + +@description('Optional. Custom DNS configurations.') +param customDnsConfigs array = [] + +@description('Optional. A collection of private DNS zone configurations of the private dns zone group.') +param privateDnsZoneResourceIds array = [] + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: [ + service + ] + } + } + ] + subnet: { + id: subnetResourceId + } + customDnsConfigs: customDnsConfigs + } + + resource privateDnsZoneGroups 'privateDnsZoneGroups@2021-02-01' = { + name: 'default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } + } +} diff --git a/arm/Microsoft.Sql/servers/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Sql/servers/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Sql/servers/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Sql/servers/.bicep/nested_rbac.bicep index be5cfb01a9..9df4ec572f 100644 --- a/arm/Microsoft.Sql/servers/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Sql/servers/.bicep/nested_rbac.bicep @@ -51,7 +51,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: server }] diff --git a/arm/Microsoft.Sql/servers/.parameters/parameters.json b/arm/Microsoft.Sql/servers/.parameters/parameters.json index 091333e683..2f3893f12f 100644 --- a/arm/Microsoft.Sql/servers/.parameters/parameters.json +++ b/arm/Microsoft.Sql/servers/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-sqlsrv-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "administratorLogin": { "reference": { "keyVault": { @@ -31,9 +28,7 @@ "value": [ { "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] + "principalIds": ["<>"] } ] }, @@ -97,8 +92,7 @@ "privateEndpoints": { "value": [ { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "sqlServer" + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" } ] } diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep index a943bf9afd..19c54f905c 100644 --- a/arm/Microsoft.Sql/servers/deploy.bicep +++ b/arm/Microsoft.Sql/servers/deploy.bicep @@ -18,12 +18,12 @@ param systemAssignedIdentity bool = false param userAssignedIdentities object = {} @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -56,7 +56,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false @description('Optional. The vulnerability assessment configuration.') param vulnerabilityAssessmentsObj object = {} @@ -93,16 +93,16 @@ resource server 'Microsoft.Sql/servers@2021-05-01-preview' = { } } -resource server_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource server_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${server.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: server } -module server_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module server_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Sql-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -144,27 +144,21 @@ module server_databases 'databases/deploy.bicep' = [for (database, index) in dat tags: contains(database, 'tags') ? database.tags : {} diagnosticWorkspaceId: contains(database, 'diagnosticWorkspaceId') ? database.diagnosticWorkspaceId : '' zoneRedundant: contains(database, 'zoneRedundant') ? database.zoneRedundant : false - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] -module server_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-SQLServer-PrivateEndpoint-${index}' +module server_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { + name: '${uniqueString(deployment().name, location)}-Sql-PrivateEndpoints-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(server.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: server.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: server.id + privateEndpointVnetLocation: !empty(privateEndpoints) ? reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location : 'dummy' + service: contains(endpoint, 'service') ? endpoint.service : 'sqlServer' + subnetResourceId: endpoint.subnetResourceId + customDnsConfigs: contains(endpoint, 'customDnsConfigs') ? endpoint.customDnsConfigs : [] + name: contains(endpoint, 'name') ? endpoint.name : '${last(split(server.id, '/'))}-sql' + privateDnsZoneResourceIds: contains(endpoint, 'privateDnsZoneResourceIds') ? endpoint.privateDnsZoneResourceIds : [] + tags: contains(endpoint, 'tags') ? endpoint.tags : {} } }] @@ -175,7 +169,7 @@ module server_firewallRules 'firewallRules/deploy.bicep' = [for (firewallRule, i serverName: server.name endIpAddress: contains(firewallRule, 'endIpAddress') ? firewallRule.endIpAddress : '0.0.0.0' startIpAddress: contains(firewallRule, 'startIpAddress') ? firewallRule.startIpAddress : '0.0.0.0' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -191,7 +185,7 @@ module server_securityAlertPolicies 'securityAlertPolicies/deploy.bicep' = [for state: contains(securityAlertPolicy, 'state') ? securityAlertPolicy.state : 'Disabled' storageAccountAccessKey: contains(securityAlertPolicy, 'storageAccountAccessKey') ? securityAlertPolicy.storageAccountAccessKey : '' storageEndpoint: contains(securityAlertPolicy, 'storageEndpoint') ? securityAlertPolicy.storageEndpoint : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] @@ -204,7 +198,7 @@ module server_vulnerabilityAssessment 'vulnerabilityAssessments/deploy.bicep' = recurringScansEmailSubscriptionAdmins: contains(vulnerabilityAssessmentsObj, 'recurringScansEmailSubscriptionAdmins') ? vulnerabilityAssessmentsObj.recurringScansEmailSubscriptionAdmins : false recurringScansIsEnabled: contains(vulnerabilityAssessmentsObj, 'recurringScansIsEnabled') ? vulnerabilityAssessmentsObj.recurringScansIsEnabled : false vulnerabilityAssessmentsStorageAccountId: contains(vulnerabilityAssessmentsObj, 'vulnerabilityAssessmentsStorageAccountId') ? vulnerabilityAssessmentsObj.vulnerabilityAssessmentsStorageAccountId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } dependsOn: [ server_securityAlertPolicies diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md index 915a9eee9e..74f8a7094f 100644 --- a/arm/Microsoft.Sql/servers/readme.md +++ b/arm/Microsoft.Sql/servers/readme.md @@ -17,7 +17,7 @@ This module deploys a SQL server. | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Sql/servers` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers) | | `Microsoft.Sql/servers/databases` | [2021-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/servers/databases) | | `Microsoft.Sql/servers/firewallRules` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers/firewallRules) | @@ -45,7 +45,7 @@ This module deploys a SQL server. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` | | The firewall rules to create in the server. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `securityAlertPolicies` | _[securityAlertPolicies](securityAlertPolicies/readme.md)_ array | `[]` | | The security alert policies to create in the server. | @@ -383,9 +383,6 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { "name": { "value": "<>-az-sqlsrv-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "administratorLogin": { "reference": { "keyVault": { @@ -409,9 +406,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { "value": [ { "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] + "principalIds": ["<>"] } ] }, @@ -475,8 +470,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { "privateEndpoints": { "value": [ { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "sqlServer" + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" } ] } @@ -501,9 +495,38 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { name: '${uniqueString(deployment().name)}-servers' params: { name: '<>-az-sqlsrv-x-001' - lock: 'CanNotDelete' - administratorLogin: kv1.getSecret('administratorLogin') - administratorLoginPassword: kv1.getSecret('administratorLoginPassword') + administratorLogin: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/<>/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'administratorLogin' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] + administratorLoginPassword: [ + { + Value: { + keyVault: { + id: '/subscriptions/<>/resourceGroups/<>/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + } + secretName: 'administratorLoginPassword' + } + MemberType: 8 + IsSettable: true + IsGettable: true + TypeNameOfValue: 'System.Management.Automation.PSCustomObject' + Name: 'reference' + IsInstance: true + } + ] location: 'westeurope' roleAssignments: [ { @@ -561,7 +584,6 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { privateEndpoints: [ { subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' - service: 'sqlServer' } ] } diff --git a/arm/Microsoft.Sql/servers/securityAlertPolicies/deploy.bicep b/arm/Microsoft.Sql/servers/securityAlertPolicies/deploy.bicep index 7800a6c409..e745b2ce4d 100644 --- a/arm/Microsoft.Sql/servers/securityAlertPolicies/deploy.bicep +++ b/arm/Microsoft.Sql/servers/securityAlertPolicies/deploy.bicep @@ -24,7 +24,7 @@ param state string = 'Disabled' @secure() param storageAccountAccessKey string = '' -@description('Optional. Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs.') +@description('Optional. Specifies the blob storage endpoint (e.g. https://mystorageaccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.') param storageEndpoint string = '' @description('Conditional. The name of the parent SQL Server. Required if the template is used in a standalone deployment.') diff --git a/arm/Microsoft.Sql/servers/securityAlertPolicies/readme.md b/arm/Microsoft.Sql/servers/securityAlertPolicies/readme.md index 31cf4c9f55..5e7b710bc8 100644 --- a/arm/Microsoft.Sql/servers/securityAlertPolicies/readme.md +++ b/arm/Microsoft.Sql/servers/securityAlertPolicies/readme.md @@ -36,7 +36,7 @@ This module deploys an SQL Server Security Alert Policy. | `retentionDays` | int | `0` | | Specifies the number of days to keep in the Threat Detection audit logs. | | `state` | string | `'Disabled'` | `[Disabled, Enabled]` | Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database. | | `storageAccountAccessKey` | secureString | `''` | | Specifies the identifier key of the Threat Detection audit storage account.. | -| `storageEndpoint` | string | `''` | | Specifies the blob storage endpoint. This blob storage will hold all Threat Detection audit logs. | +| `storageEndpoint` | string | `''` | | Specifies the blob storage endpoint (e.g. https://mystorageaccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs. | ## Outputs diff --git a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..75fa03bcd3 --- /dev/null +++ b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,49 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? ((empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds)) : []) + customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } + + resource privateDnsZoneGroups 'privateDnsZoneGroups@2021-02-01' = { + name: 'default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } + } +} diff --git a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_rbac.bicep similarity index 99% rename from arm/Microsoft.Storage/storageAccounts/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Storage/storageAccounts/.bicep/nested_rbac.bicep index 269332a976..19551746b5 100644 --- a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_rbac.bicep @@ -74,7 +74,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: storageAccount }] diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/encr.parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/encr.parameters.json deleted file mode 100644 index cdc4f530c1..0000000000 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/encr.parameters.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>azsaencr001" - }, - "storageAccountSku": { - "value": "Standard_LRS" - }, - "allowBlobPublicAccess": { - "value": false - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "requireInfrastructureEncryption": { - "value": true - }, - "systemAssignedIdentity": { - "value": false - }, - "userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} - } - }, - "cMKKeyVaultResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" - }, - "cMKKeyName": { - "value": "keyEncryptionKey" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" - } - } -} diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 6783c5818a..95d58e294b 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -17,9 +17,6 @@ "requireInfrastructureEncryption": { "value": true }, - "lock": { - "value": "CanNotDelete" - }, "privateEndpoints": { "value": [ { diff --git a/arm/Microsoft.Storage/storageAccounts/blobServices/containers/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Storage/storageAccounts/blobServices/containers/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Storage/storageAccounts/blobServices/containers/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Storage/storageAccounts/blobServices/containers/.bicep/nested_rbac.bicep index b1efabf41c..51e7db27e7 100644 --- a/arm/Microsoft.Storage/storageAccounts/blobServices/containers/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Storage/storageAccounts/blobServices/containers/.bicep/nested_rbac.bicep @@ -65,7 +65,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: container }] diff --git a/arm/Microsoft.Storage/storageAccounts/blobServices/containers/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/blobServices/containers/deploy.bicep index f4f6cb6c58..d7574e5249 100644 --- a/arm/Microsoft.Storage/storageAccounts/blobServices/containers/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/blobServices/containers/deploy.bicep @@ -28,7 +28,7 @@ param roleAssignments array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -66,11 +66,11 @@ module immutabilityPolicy 'immutabilityPolicies/deploy.bicep' = if (!empty(immut containerName: container.name immutabilityPeriodSinceCreationInDays: contains(immutabilityPolicyProperties, 'immutabilityPeriodSinceCreationInDays') ? immutabilityPolicyProperties.immutabilityPeriodSinceCreationInDays : 365 allowProtectedAppendWrites: contains(immutabilityPolicyProperties, 'allowProtectedAppendWrites') ? immutabilityPolicyProperties.allowProtectedAppendWrites : true - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } -module container_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module container_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Storage/storageAccounts/blobServices/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/blobServices/deploy.bicep index 333e1a429c..3e579d4cbc 100644 --- a/arm/Microsoft.Storage/storageAccounts/blobServices/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/blobServices/deploy.bicep @@ -79,7 +79,7 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { } }] -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -131,7 +131,7 @@ module blobServices_container 'containers/deploy.bicep' = [for (container, index publicAccess: contains(container, 'publicAccess') ? container.publicAccess : 'None' roleAssignments: contains(container, 'roleAssignments') ? container.roleAssignments : [] immutabilityPolicyProperties: contains(container, 'immutabilityPolicyProperties') ? container.immutabilityPolicyProperties : {} - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index 8654467136..ca710791cf 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -56,7 +56,7 @@ param managementPolicyRules array = [] @description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny.') param networkAcls object = {} -@description('Optional. A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true.') +@description('Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true.') param requireInfrastructureEncryption bool = true @description('Optional. Blob service and containers to deploy.') @@ -103,12 +103,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -138,18 +138,6 @@ param diagnosticMetricsToEnable array = [ 'Transaction' ] -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') -param cMKKeyName string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') -param cMKUserAssignedIdentityResourceId string = '' - -@description('Optional. The version of the customer managed key to reference for encryption. If not provided, latest is used.') -param cMKKeyVersion string = '' - @description('Optional. The name of the diagnostic setting, if deployed.') param diagnosticSettingsName string = '${name}-diagnosticSettings' @@ -164,7 +152,7 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { }] var maxNameLength = 24 -var uniqueStorageNameUntrim = uniqueString('Storage Account${basetime}') +var uniqueStorageNameUntrim = '${uniqueString('Storage Account${basetime}')}' var uniqueStorageName = length(uniqueStorageNameUntrim) > maxNameLength ? substring(uniqueStorageNameUntrim, 0, maxNameLength) : uniqueStorageNameUntrim var supportsBlobService = storageAccountKind == 'BlockBlobStorage' || storageAccountKind == 'BlobStorage' || storageAccountKind == 'StorageV2' || storageAccountKind == 'Storage' @@ -176,7 +164,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' @@ -190,11 +178,6 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/')) - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) -} - resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { name: !empty(name) ? name : uniqueStorageName location: location @@ -206,7 +189,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { tags: tags properties: { encryption: { - keySource: !empty(cMKKeyName) ? 'Microsoft.Keyvault' : 'Microsoft.Storage' + keySource: 'Microsoft.Storage' services: { blob: supportsBlobService ? { enabled: true @@ -214,22 +197,8 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { file: supportsFileService ? { enabled: true } : null - table: { - enabled: true - } - queue: { - enabled: true - } } requireInfrastructureEncryption: storageAccountKind != 'Storage' ? requireInfrastructureEncryption : null - keyvaultproperties: !empty(cMKKeyName) ? { - keyname: cMKKeyName - keyvaulturi: keyVault.properties.vaultUri - keyversion: !empty(cMKKeyVersion) ? cMKKeyVersion : null - } : null - identity: !empty(cMKKeyName) ? { - userAssignedIdentity: cMKUserAssignedIdentityResourceId - } : null } accessTier: storageAccountKind != 'Storage' ? storageAccountAccessTier : null supportsHttpsTrafficOnly: supportsHttpsTrafficOnly @@ -259,16 +228,16 @@ resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSetting scope: storageAccount } -resource storageAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource storageAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${storageAccount.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: storageAccount } -module storageAccount_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module storageAccount_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Storage-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -279,23 +248,13 @@ module storageAccount_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAss } }] -module storageAccount_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-StorageAccount-PrivateEndpoint-${index}' +module storageAccount_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { + name: '${uniqueString(deployment().name, location)}-Storage-PrivateEndpoints-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(storageAccount.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: storageAccount.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: storageAccount.id + privateEndpointVnetLocation: !empty(privateEndpoints) ? reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location : 'dummy' + privateEndpointObj: endpoint + tags: tags } }] @@ -305,7 +264,7 @@ module storageAccount_managementPolicies 'managementPolicies/deploy.bicep' = if params: { storageAccountName: storageAccount.name rules: managementPolicyRules - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -325,7 +284,7 @@ module storageAccount_blobServices 'blobServices/deploy.bicep' = if (!empty(blob diagnosticLogCategoriesToEnable: contains(blobServices, 'diagnosticLogCategoriesToEnable') ? blobServices.diagnosticLogCategoriesToEnable : [] diagnosticMetricsToEnable: contains(blobServices, 'diagnosticMetricsToEnable') ? blobServices.diagnosticMetricsToEnable : [] diagnosticWorkspaceId: contains(blobServices, 'diagnosticWorkspaceId') ? blobServices.diagnosticWorkspaceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -347,7 +306,7 @@ module storageAccount_fileServices 'fileServices/deploy.bicep' = if (!empty(file } shares: contains(fileServices, 'shares') ? fileServices.shares : [] diagnosticWorkspaceId: contains(fileServices, 'diagnosticWorkspaceId') ? fileServices.diagnosticWorkspaceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -364,7 +323,7 @@ module storageAccount_queueServices 'queueServices/deploy.bicep' = if (!empty(qu diagnosticMetricsToEnable: contains(queueServices, 'diagnosticMetricsToEnable') ? queueServices.diagnosticMetricsToEnable : [] queues: contains(queueServices, 'queues') ? queueServices.queues : [] diagnosticWorkspaceId: contains(queueServices, 'diagnosticWorkspaceId') ? queueServices.diagnosticWorkspaceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -381,7 +340,7 @@ module storageAccount_tableServices 'tableServices/deploy.bicep' = if (!empty(ta diagnosticMetricsToEnable: contains(tableServices, 'diagnosticMetricsToEnable') ? tableServices.diagnosticMetricsToEnable : [] tables: contains(tableServices, 'tables') ? tableServices.tables : [] diagnosticWorkspaceId: contains(tableServices, 'diagnosticWorkspaceId') ? tableServices.diagnosticWorkspaceId : '' - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } diff --git a/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep index e3e81b1935..cd9102f170 100644 --- a/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep @@ -79,7 +79,7 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { } }] -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -129,7 +129,7 @@ module fileServices_shares 'shares/deploy.bicep' = [for (share, index) in shares rootSquash: contains(share, 'rootSquash') ? share.rootSquash : 'NoRootSquash' sharedQuota: contains(share, 'sharedQuota') ? share.sharedQuota : 5120 roleAssignments: contains(share, 'roleAssignments') ? share.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.Storage/storageAccounts/fileServices/shares/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Storage/storageAccounts/fileServices/shares/.bicep/nested_rbac.bicep similarity index 99% rename from arm/Microsoft.Storage/storageAccounts/fileServices/shares/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Storage/storageAccounts/fileServices/shares/.bicep/nested_rbac.bicep index 9d211dd063..36fdd64a53 100644 --- a/arm/Microsoft.Storage/storageAccounts/fileServices/shares/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Storage/storageAccounts/fileServices/shares/.bicep/nested_rbac.bicep @@ -74,7 +74,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: fileShare }] diff --git a/arm/Microsoft.Storage/storageAccounts/fileServices/shares/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/fileServices/shares/deploy.bicep index c70d661c65..10895d2c9e 100644 --- a/arm/Microsoft.Storage/storageAccounts/fileServices/shares/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/fileServices/shares/deploy.bicep @@ -62,7 +62,7 @@ resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2021-0 } } -module fileShare_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module fileShare_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/queueServices/deploy.bicep index 1eead7817f..1ad847e56c 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/deploy.bicep @@ -70,7 +70,7 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { } }] -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -115,7 +115,7 @@ module queueServices_queues 'queues/deploy.bicep' = [for (queue, index) in queue name: queue.name metadata: contains(queue, 'metadata') ? queue.metadata : {} roleAssignments: contains(queue, 'roleAssignments') ? queue.roleAssignments : [] - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Storage/storageAccounts/queueServices/queues/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Storage/storageAccounts/queueServices/queues/.bicep/nested_rbac.bicep index f1e85f9964..cd5fe01235 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/.bicep/nested_rbac.bicep @@ -71,7 +71,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: queue }] diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep index b812d142f1..9a08797969 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/queues/deploy.bicep @@ -45,7 +45,7 @@ resource queue 'Microsoft.Storage/storageAccounts/queueServices/queues@2019-06-0 } } -module queue_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module queue_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md index abc60aa794..c7422e2026 100644 --- a/arm/Microsoft.Storage/storageAccounts/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -18,7 +18,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Storage/storageAccounts` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-08-01/storageAccounts) | | `Microsoft.Storage/storageAccounts/blobServices` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-06-01/storageAccounts/blobServices) | | `Microsoft.Storage/storageAccounts/blobServices/containers` | [2019-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers) | @@ -33,20 +33,12 @@ This module is used to deploy a storage account, with the ability to deploy 1 or ## Parameters -**Conditional parameters** -| Parameter Name | Type | Default Value | Description | -| :-- | :-- | :-- | :-- | -| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | - **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `allowBlobPublicAccess` | bool | `False` | | Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. | | `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Provides the identity based authentication settings for Azure Files. | | `blobServices` | _[blobServices](blobServices/readme.md)_ object | `{object}` | | Blob service and containers to deploy. | -| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter 'systemAssignedIdentity' enabled. | -| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. | -| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, latest is used. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | @@ -58,7 +50,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `enableHierarchicalNamespace` | bool | `False` | | If true, enables Hierarchical Namespace for the storage account. | | `fileServices` | _[fileServices](fileServices/readme.md)_ object | `{object}` | | File service and shares to deploy. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `managementPolicyRules` | array | `[]` | | The Storage Account ManagementPolicies Rules. | | `minimumTlsVersion` | string | `'TLS1_2'` | `[TLS1_0, TLS1_1, TLS1_2]` | Set the minimum TLS version on request to storage. | | `name` | string | `''` | | Name of the Storage Account. Autogenerated with a unique string if not provided. | @@ -66,7 +58,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | Enable or disallow public network access to Storage Account.. | | `queueServices` | _[queueServices](queueServices/readme.md)_ object | `{object}` | | Queue service and queues to create. | -| `requireInfrastructureEncryption` | bool | `True` | | A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | +| `requireInfrastructureEncryption` | bool | `True` | | A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `storageAccountAccessTier` | string | `'Hot'` | `[Hot, Cool]` | Storage Account Access Tier. | | `storageAccountKind` | string | `'StorageV2'` | `[Storage, StorageV2, BlobStorage, FileStorage, BlockBlobStorage]` | Type of Storage Account to create. | @@ -375,37 +367,8 @@ The hierarchical namespace of the storage account (see parameter `enableHierarch "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "name": { - "value": "<>azsaencr001" - }, - "storageAccountSku": { - "value": "Standard_LRS" - }, "allowBlobPublicAccess": { "value": false - }, - "publicNetworkAccess": { - "value": "Disabled" - }, - "requireInfrastructureEncryption": { - "value": true - }, - "systemAssignedIdentity": { - "value": false - }, - "userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} - } - }, - "cMKKeyVaultResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" - }, - "cMKKeyName": { - "value": "keyEncryptionKey" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" } } } @@ -422,18 +385,7 @@ The hierarchical namespace of the storage account (see parameter `enableHierarch module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = { name: '${uniqueString(deployment().name)}-storageAccounts' params: { - name: '<>azsaencr001' - storageAccountSku: 'Standard_LRS' allowBlobPublicAccess: false - publicNetworkAccess: 'Disabled' - requireInfrastructureEncryption: true - systemAssignedIdentity: false - userAssignedIdentities: { - '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} - } - cMKKeyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002' - cMKKeyName: 'keyEncryptionKey' - cMKUserAssignedIdentityResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001' } ``` @@ -446,42 +398,6 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = {

via JSON Parameter file -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "allowBlobPublicAccess": { - "value": false - } - } -} - -``` - -
- -
- -via Bicep module - -```bicep -module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-storageAccounts' - params: { - allowBlobPublicAccess: false - } -``` - -
-

- -

Example 3

- -
- -via JSON Parameter file - ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", @@ -596,7 +512,7 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = {

-

Example 4

+

Example 3

@@ -622,9 +538,6 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = { "requireInfrastructureEncryption": { "value": true }, - "lock": { - "value": "CanNotDelete" - }, "privateEndpoints": { "value": [ { @@ -813,7 +726,6 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = { allowBlobPublicAccess: false publicNetworkAccess: 'Disabled' requireInfrastructureEncryption: true - lock: 'CanNotDelete' privateEndpoints: [ { subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' @@ -960,7 +872,7 @@ module storageAccounts './Microsoft.Storage/storageAccounts/deploy.bicep' = {

-

Example 5

+

Example 4

diff --git a/arm/Microsoft.Storage/storageAccounts/tableServices/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/tableServices/deploy.bicep index 735855c143..4fb7c8ec75 100644 --- a/arm/Microsoft.Storage/storageAccounts/tableServices/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/tableServices/deploy.bicep @@ -70,7 +70,7 @@ var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { } }] -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -113,7 +113,7 @@ module tableServices_tables 'tables/deploy.bicep' = [for (tableName, index) in t storageAccountName: storageAccount.name tableServicesName: tableServices.name name: tableName - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } }] diff --git a/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..f855b992be --- /dev/null +++ b/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,50 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}' + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : [] + customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: 'default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } + parent: privateEndpoint +} diff --git a/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_rbac.bicep index 810e105821..6c9eae6921 100644 --- a/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_rbac.bicep @@ -47,7 +47,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: privateLinkHub }] diff --git a/arm/Microsoft.Synapse/privateLinkHubs/.parameters/parameters.json b/arm/Microsoft.Synapse/privateLinkHubs/.parameters/parameters.json index 32f603e943..e9bb15fdb8 100644 --- a/arm/Microsoft.Synapse/privateLinkHubs/.parameters/parameters.json +++ b/arm/Microsoft.Synapse/privateLinkHubs/.parameters/parameters.json @@ -5,30 +5,15 @@ "name": { "value": "synplhstandard001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] + "principalIds": ["<>"] }, { "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalIds": [ - "<>" - ] - } - ] - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "Web" + "principalIds": ["<>"] } ] } diff --git a/arm/Microsoft.Synapse/privateLinkHubs/deploy.bicep b/arm/Microsoft.Synapse/privateLinkHubs/deploy.bicep index 72083d0a54..b76c4b931b 100644 --- a/arm/Microsoft.Synapse/privateLinkHubs/deploy.bicep +++ b/arm/Microsoft.Synapse/privateLinkHubs/deploy.bicep @@ -8,12 +8,12 @@ param location string = resourceGroup().location param tags object = {} @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -24,8 +24,6 @@ param roleAssignments array = [] @description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] -var enableReferencedModulesTelemetry = false - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -45,17 +43,17 @@ resource privateLinkHub 'Microsoft.Synapse/privateLinkHubs@2021-06-01' = { } // Resource Lock -resource privateLinkHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource privateLinkHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${privateLinkHub.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: privateLinkHub } // RBAC -module privateLinkHub_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module privateLinkHub_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -67,23 +65,13 @@ module privateLinkHub_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAss }] // Private Endpoints -module privateLinkHub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-PrivateLinkHub-PrivateEndpoint-${index}' +module privateLinkHub_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(privateLinkHub.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: privateLinkHub.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: privateLinkHub.id + privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + privateEndpointObj: privateEndpoint + tags: tags } }] diff --git a/arm/Microsoft.Synapse/privateLinkHubs/readme.md b/arm/Microsoft.Synapse/privateLinkHubs/readme.md index 83d3ba5b1f..43bd6a31d5 100644 --- a/arm/Microsoft.Synapse/privateLinkHubs/readme.md +++ b/arm/Microsoft.Synapse/privateLinkHubs/readme.md @@ -31,7 +31,7 @@ This module deploys Azure Synapse Analytics (private link hubs). | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | The geo-location where the resource lives. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -275,30 +275,15 @@ module privateLinkHubs './Microsoft.Synapse/privateLinkHubs/deploy.bicep' = { "name": { "value": "synplhstandard001" }, - "lock": { - "value": "CanNotDelete" - }, "roleAssignments": { "value": [ { "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] + "principalIds": ["<>"] }, { "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalIds": [ - "<>" - ] - } - ] - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "Web" + "principalIds": ["<>"] } ] } @@ -318,7 +303,6 @@ module privateLinkHubs './Microsoft.Synapse/privateLinkHubs/deploy.bicep' = { name: '${uniqueString(deployment().name)}-privateLinkHubs' params: { name: 'synplhstandard001' - lock: 'CanNotDelete' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' @@ -333,12 +317,6 @@ module privateLinkHubs './Microsoft.Synapse/privateLinkHubs/deploy.bicep' = { ] } ] - privateEndpoints: [ - { - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' - service: 'Web' - } - ] } ``` diff --git a/arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_rbac.bicep index 1bd3d488bf..d8b3f95cd1 100644 --- a/arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.VirtualMachineImages/imageTemplates/.bicep/nested_rbac.bicep @@ -47,7 +47,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: imageTemplate }] diff --git a/arm/Microsoft.VirtualMachineImages/imageTemplates/.parameters/parameters.json b/arm/Microsoft.VirtualMachineImages/imageTemplates/.parameters/parameters.json index df382ff2e0..4b1b66c317 100644 --- a/arm/Microsoft.VirtualMachineImages/imageTemplates/.parameters/parameters.json +++ b/arm/Microsoft.VirtualMachineImages/imageTemplates/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-imgt-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "userMsiName": { "value": "adp-<>-az-msi-x-001" }, diff --git a/arm/Microsoft.VirtualMachineImages/imageTemplates/deploy.bicep b/arm/Microsoft.VirtualMachineImages/imageTemplates/deploy.bicep index d871b0c4f9..a8cd986798 100644 --- a/arm/Microsoft.VirtualMachineImages/imageTemplates/deploy.bicep +++ b/arm/Microsoft.VirtualMachineImages/imageTemplates/deploy.bicep @@ -43,12 +43,12 @@ param sigImageDefinitionId string = '' param imageReplicationRegions array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -155,16 +155,16 @@ resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2020-02-14 } } -resource imageTemplate_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource imageTemplate_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${imageTemplate.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: imageTemplate } -module imageTemplate_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module imageTemplate_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-ImageTemplate-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md b/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md index 52757187c5..a0c2a5bd73 100644 --- a/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md +++ b/arm/Microsoft.VirtualMachineImages/imageTemplates/readme.md @@ -34,7 +34,7 @@ This module deploys an image template that can be consumed by the Azure Image Bu | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `imageReplicationRegions` | array | `[]` | | List of the regions the image produced by this solution should be stored in the Shared Image Gallery. When left empty, the deployment's location will be taken as a default value. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `managedImageName` | string | `''` | | Name of the managed image that will be created in the AIB resourcegroup. | | `osDiskSizeGB` | int | `128` | | Specifies the size of OS disk. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -274,9 +274,6 @@ roleAssignments: [ "name": { "value": "<>-az-imgt-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "userMsiName": { "value": "adp-<>-az-msi-x-001" }, @@ -350,7 +347,6 @@ module imageTemplates './Microsoft.VirtualMachineImages/imageTemplates/deploy.bi name: '${uniqueString(deployment().name)}-imageTemplates' params: { name: '<>-az-imgt-x-001' - lock: 'CanNotDelete' userMsiName: 'adp-<>-az-msi-x-001' userMsiResourceGroup: 'validation-rg' buildTimeoutInMinutes: 0 diff --git a/arm/Microsoft.Web/connections/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Web/connections/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep index e34dc1dff1..15ddb3d606 100644 --- a/arm/Microsoft.Web/connections/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: connection }] diff --git a/arm/Microsoft.Web/connections/.parameters/parameters.json b/arm/Microsoft.Web/connections/.parameters/parameters.json index c2862592b5..920f8784bf 100644 --- a/arm/Microsoft.Web/connections/.parameters/parameters.json +++ b/arm/Microsoft.Web/connections/.parameters/parameters.json @@ -5,8 +5,8 @@ "name": { "value": "azuremonitor" }, - "lock": { - "value": "CanNotDelete" + "connectionKind": { + "value": "V1" }, "displayName": { "value": "azuremonitorlogs" diff --git a/arm/Microsoft.Web/connections/deploy.bicep b/arm/Microsoft.Web/connections/deploy.bicep index 48c60e7d23..4ee18fbc33 100644 --- a/arm/Microsoft.Web/connections/deploy.bicep +++ b/arm/Microsoft.Web/connections/deploy.bicep @@ -4,6 +4,9 @@ param alternativeParameterValues object = {} @description('Optional. Specific values for some API connections.') param connectionApi object = {} +@description('Required. Connection Kind. Example: \'V1\' when using blobs. It can change depending on the resource.') +param connectionKind string + @description('Required. Connection name for connection. Example: \'azureblob\' when using blobs. It can change depending on the resource.') param name string @@ -26,6 +29,9 @@ param nonSecretParameterValues object = {} @secure() param parameterValues object = {} +@description('Optional. Value Type of parameter, in case alternativeParameterValues is used.') +param parameterValueType string = '' + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -33,12 +39,12 @@ param roleAssignments array = [] param statuses array = [] @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Tags of the resource.') param tags object = {} @@ -61,10 +67,13 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena resource connection 'Microsoft.Web/connections@2016-06-01' = { name: name location: location + kind: connectionKind tags: tags properties: { displayName: displayName customParameterValues: customParameterValues + parameterValueType: !empty(parameterValueType) ? parameterValueType : null + alternativeParameterValues: !empty(alternativeParameterValues) ? alternativeParameterValues : null api: connectionApi parameterValues: empty(alternativeParameterValues) ? parameterValues : null nonSecretParameterValues: !empty(nonSecretParameterValues) ? nonSecretParameterValues : null @@ -73,16 +82,16 @@ resource connection 'Microsoft.Web/connections@2016-06-01' = { } } -resource connection_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource connection_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${connection.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: connection } -module connection_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module connection_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Connection-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Web/connections/readme.md b/arm/Microsoft.Web/connections/readme.md index 1712310f3b..c933fd9f66 100644 --- a/arm/Microsoft.Web/connections/readme.md +++ b/arm/Microsoft.Web/connections/readme.md @@ -22,6 +22,7 @@ This module deploys an Azure API connection. **Required parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | +| `connectionKind` | string | Connection Kind. Example: 'V1' when using blobs. It can change depending on the resource. | | `displayName` | string | Display name connection. Example: 'blobconnection' when using blobs. It can change depending on the resource. | | `name` | string | Connection name for connection. Example: 'azureblob' when using blobs. It can change depending on the resource. | @@ -33,9 +34,10 @@ This module deploys an Azure API connection. | `customParameterValues` | object | `{object}` | | Customized parameter values for specific connections. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location of the deployment. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `nonSecretParameterValues` | object | `{object}` | | Dictionary of nonsecret parameter values. | | `parameterValues` | secureObject | `{object}` | | Connection strings or access keys for connection. Example: 'accountName' and 'accessKey' when using blobs. It can change depending on the resource. | +| `parameterValueType` | string | `''` | | Value Type of parameter, in case alternativeParameterValues is used. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `statuses` | array | `[]` | | Status of the connection. | | `tags` | object | `{object}` | | Tags of the resource. | @@ -167,8 +169,8 @@ tags: { "name": { "value": "azuremonitor" }, - "lock": { - "value": "CanNotDelete" + "connectionKind": { + "value": "V1" }, "displayName": { "value": "azuremonitorlogs" @@ -204,7 +206,7 @@ module connections './Microsoft.Web/connections/deploy.bicep' = { name: '${uniqueString(deployment().name)}-connections' params: { name: 'azuremonitor' - lock: 'CanNotDelete' + connectionKind: 'V1' displayName: 'azuremonitorlogs' connectionApi: { id: '/subscriptions/<>/providers/Microsoft.Web/locations/westeurope/managedApis/azuremonitorlogs' diff --git a/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Web/hostingEnvironments/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep index 698394c2cf..f374065580 100644 --- a/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep @@ -48,7 +48,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: appServiceEnvironment }] diff --git a/arm/Microsoft.Web/hostingEnvironments/.parameters/asev2.parameters.json b/arm/Microsoft.Web/hostingEnvironments/.parameters/asev2.parameters.json deleted file mode 100644 index c556495066..0000000000 --- a/arm/Microsoft.Web/hostingEnvironments/.parameters/asev2.parameters.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-appse-asev2-001" - }, - "kind": { - "value": "ASEv2" - }, - "multiSize": { - "value": "Standard_D1_V2" - }, - "ipsslAddressCount": { - "value": 2 - }, - "clusterSettings": { - "value": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ] - }, - "subnetResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-008" - }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - }, - "diagnosticLogsRetentionInDays": { - "value": 7 - }, - "diagnosticStorageAccountId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" - }, - "diagnosticWorkspaceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" - }, - "diagnosticEventHubName": { - "value": "adp-<>-az-evh-x-001" - } - } -} diff --git a/arm/Microsoft.Web/hostingEnvironments/.parameters/asev3.parameters.json b/arm/Microsoft.Web/hostingEnvironments/.parameters/parameters.json similarity index 83% rename from arm/Microsoft.Web/hostingEnvironments/.parameters/asev3.parameters.json rename to arm/Microsoft.Web/hostingEnvironments/.parameters/parameters.json index a304822546..cce2a36317 100644 --- a/arm/Microsoft.Web/hostingEnvironments/.parameters/asev3.parameters.json +++ b/arm/Microsoft.Web/hostingEnvironments/.parameters/parameters.json @@ -3,10 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-appse-asev3-001" - }, - "lock": { - "value": "CanNotDelete" + "value": "<>-az-appse-x-001" }, "subnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-006" @@ -24,14 +21,6 @@ "diagnosticLogsRetentionInDays": { "value": 7 }, - "clusterSettings": { - "value": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ] - }, "diagnosticStorageAccountId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" }, diff --git a/arm/Microsoft.Web/hostingEnvironments/deploy.bicep b/arm/Microsoft.Web/hostingEnvironments/deploy.bicep index 98f2da741a..e2384f59fe 100644 --- a/arm/Microsoft.Web/hostingEnvironments/deploy.bicep +++ b/arm/Microsoft.Web/hostingEnvironments/deploy.bicep @@ -6,9 +6,9 @@ param name string param location string = resourceGroup().location @description('Optional. Kind of resource.') -param kind string = 'ASEv3' +param kind string = 'ASEV2' -@description('Required. ResourceId for the subnet.') +@description('Required. ResourceId for the sub net.') param subnetResourceId string @description('Optional. Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing.') @@ -19,9 +19,8 @@ param subnetResourceId string ]) param internalLoadBalancingMode string = 'None' -@description('Optional. Frontend VM size. Cannot be used with \'kind\' `ASEv3`.') +@description('Optional. Frontend VM size, e.g. Medium, Large.') @allowed([ - '' 'Medium' 'Large' 'ExtraLarge' @@ -33,30 +32,43 @@ param internalLoadBalancingMode string = 'None' 'Standard_D3_V2' 'Standard_D4_V2' ]) -param multiSize string = '' +param multiSize string = 'Standard_D1_V2' + +@description('Optional. Number of frontend instances.') +param multiRoleCount int = 2 @description('Optional. Number of IP SSL addresses reserved for the App Service Environment.') -param ipsslAddressCount int = -1 +param ipsslAddressCount int = 2 + +@description('Optional. Description of worker pools with worker size IDs, VM sizes, and number of workers in each pool..') +param workerPools array = [] @description('Optional. DNS suffix of the App Service Environment.') param dnsSuffix string = '' +@description('Optional. Access control list for controlling traffic to the App Service Environment..') +param networkAccessControlList array = [] + @description('Optional. Scale factor for frontends.') param frontEndScaleFactor int = 15 -@description('Optional. User added IP ranges to whitelist on ASE DB. Cannot be used with \'kind\' `ASEv3`.') +@description('Optional. API Management Account associated with the App Service Environment.') +param apiManagementAccountId string = '' + +@description('Optional. true if the App Service Environment is suspended; otherwise, false. The environment can be suspended, e.g. when the management endpoint is no longer available (most likely because NSG blocked the incoming traffic).') +param suspended bool = false + +@description('Optional. True/false indicating whether the App Service Environment is suspended. The environment can be suspended e.g. when the management endpoint is no longer available(most likely because NSG blocked the incoming traffic).') +param dynamicCacheEnabled bool = false + +@description('Optional. User added ip ranges to whitelist on ASE db - string.') param userWhitelistedIpRanges array = [] -@description('Optional. Custom settings for changing the behavior of the App Service Environment.') -param clusterSettings array = [ - { - name: 'DisableTls1.0' - value: '1' - } -] +@description('Optional. Flag that displays whether an ASE has linux workers or not.') +param hasLinuxWorkers bool = false -@description('Optional. Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`.') -param zoneRedundant bool = false +@description('Optional. Custom settings for changing the behavior of the App Service Environment.') +param clusterSettings array = [] @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @@ -76,12 +88,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -92,9 +104,6 @@ param tags object = {} @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. The Dedicated Host Count. Is not supported by ASEv2. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0.') -param dedicatedHostCount int = -1 - @description('Optional. The name of logs that will be streamed.') @allowed([ 'AppServiceEnvironmentPlatformLogs' @@ -115,6 +124,8 @@ var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { } }] +var vnetResourceId = split(subnetResourceId, '/') + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -127,32 +138,39 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2021-03-01' = { +resource appServiceEnvironment 'Microsoft.Web/hostingEnvironments@2021-02-01' = { name: name kind: kind location: location tags: tags properties: { + name: name + location: location virtualNetwork: { id: subnetResourceId - subnet: last(split(subnetResourceId, '/')) + subnet: last(vnetResourceId) } internalLoadBalancingMode: internalLoadBalancingMode - multiSize: !empty(multiSize) ? any(multiSize) : null - ipsslAddressCount: ipsslAddressCount != -1 ? ipsslAddressCount : null + multiSize: multiSize + multiRoleCount: multiRoleCount + workerPools: workerPools + ipsslAddressCount: ipsslAddressCount dnsSuffix: dnsSuffix + networkAccessControlList: networkAccessControlList frontEndScaleFactor: frontEndScaleFactor + apiManagementAccountId: apiManagementAccountId + suspended: suspended + dynamicCacheEnabled: dynamicCacheEnabled clusterSettings: clusterSettings - userWhitelistedIpRanges: !empty(userWhitelistedIpRanges) ? userWhitelistedIpRanges : null - dedicatedHostCount: dedicatedHostCount != -1 ? dedicatedHostCount : null - zoneRedundant: zoneRedundant + userWhitelistedIpRanges: userWhitelistedIpRanges + hasLinuxWorkers: hasLinuxWorkers } } -resource appServiceEnvironment_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource appServiceEnvironment_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${appServiceEnvironment.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: appServiceEnvironment @@ -170,7 +188,7 @@ resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnostic scope: appServiceEnvironment } -module appServiceEnvironment_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module appServiceEnvironment_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AppServiceEnv-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Web/hostingEnvironments/readme.md b/arm/Microsoft.Web/hostingEnvironments/readme.md index e4df12336e..50cae81ff7 100644 --- a/arm/Microsoft.Web/hostingEnvironments/readme.md +++ b/arm/Microsoft.Web/hostingEnvironments/readme.md @@ -16,7 +16,7 @@ This module deploys an app service environment. | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Web/hostingEnvironments` | [2021-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2021-03-01/hostingEnvironments) | +| `Microsoft.Web/hostingEnvironments` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Web/2021-02-01/hostingEnvironments) | ## Parameters @@ -24,13 +24,13 @@ This module deploys an app service environment. | Parameter Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Name of the App Service Environment. | -| `subnetResourceId` | string | ResourceId for the subnet. | +| `subnetResourceId` | string | ResourceId for the sub net. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `clusterSettings` | array | `[System.Collections.Hashtable]` | | Custom settings for changing the behavior of the App Service Environment. | -| `dedicatedHostCount` | int | `-1` | | The Dedicated Host Count. Is not supported by ASEv2. If `zoneRedundant` is false, and you want physical hardware isolation enabled, set to 2. Otherwise 0. | +| `apiManagementAccountId` | string | `''` | | API Management Account associated with the App Service Environment. | +| `clusterSettings` | array | `[]` | | Custom settings for changing the behavior of the App Service Environment. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[AppServiceEnvironmentPlatformLogs]` | `[AppServiceEnvironmentPlatformLogs]` | The name of logs that will be streamed. | @@ -39,55 +39,25 @@ This module deploys an app service environment. | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `dnsSuffix` | string | `''` | | DNS suffix of the App Service Environment. | +| `dynamicCacheEnabled` | bool | `False` | | True/false indicating whether the App Service Environment is suspended. The environment can be suspended e.g. when the management endpoint is no longer available(most likely because NSG blocked the incoming traffic). | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `frontEndScaleFactor` | int | `15` | | Scale factor for frontends. | +| `hasLinuxWorkers` | bool | `False` | | Flag that displays whether an ASE has linux workers or not. | | `internalLoadBalancingMode` | string | `'None'` | `[None, Web, Publishing]` | Specifies which endpoints to serve internally in the Virtual Network for the App Service Environment. - None, Web, Publishing, Web,Publishing. | -| `ipsslAddressCount` | int | `-1` | | Number of IP SSL addresses reserved for the App Service Environment. | -| `kind` | string | `'ASEv3'` | | Kind of resource. | +| `ipsslAddressCount` | int | `2` | | Number of IP SSL addresses reserved for the App Service Environment. | +| `kind` | string | `'ASEV2'` | | Kind of resource. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `multiSize` | string | `''` | `[, Medium, Large, ExtraLarge, Standard_D2, Standard_D3, Standard_D4, Standard_D1_V2, Standard_D2_V2, Standard_D3_V2, Standard_D4_V2]` | Frontend VM size. Cannot be used with 'kind' `ASEv3`. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | +| `multiRoleCount` | int | `2` | | Number of frontend instances. | +| `multiSize` | string | `'Standard_D1_V2'` | `[Medium, Large, ExtraLarge, Standard_D2, Standard_D3, Standard_D4, Standard_D1_V2, Standard_D2_V2, Standard_D3_V2, Standard_D4_V2]` | Frontend VM size, e.g. Medium, Large. | +| `networkAccessControlList` | array | `[]` | | Access control list for controlling traffic to the App Service Environment.. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `suspended` | bool | `False` | | true if the App Service Environment is suspended; otherwise, false. The environment can be suspended, e.g. when the management endpoint is no longer available (most likely because NSG blocked the incoming traffic). | | `tags` | object | `{object}` | | Resource tags. | -| `userWhitelistedIpRanges` | array | `[]` | | User added IP ranges to whitelist on ASE DB. Cannot be used with 'kind' `ASEv3`. | -| `zoneRedundant` | bool | `False` | | Switch to make the App Service Environment zone redundant. If enabled, the minimum App Service plan instance count will be three, otherwise 1. If enabled, the `dedicatedHostCount` must be set to `-1`. | +| `userWhitelistedIpRanges` | array | `[]` | | User added ip ranges to whitelist on ASE db - string. | +| `workerPools` | array | `[]` | | Description of worker pools with worker size IDs, VM sizes, and number of workers in each pool.. | -### Parameter Usage: `clusterSettings` - -
- -Parameter JSON format - -```json -"clusterSettings": { - "value": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ] -} -``` - -
- - -
- -Bicep format - -```bicep -clusterSettings: [ - { - name: 'DisableTls1.0' - value: '1' - } -] -``` - -
- ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -188,122 +158,131 @@ tags: {

-## Outputs +### Parameter Usage: `workerPools` -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the app service environment. | -| `resourceGroupName` | string | The resource group the app service environment was deployed into. | -| `resourceId` | string | The resource ID of the app service environment. | +

-## Deployment examples +Parameter JSON format -

Example 1

+```json +"workerPools": { + "value": { + "workerPools": [ + { + "workerSizeId": 0, + "workerSize": "Small", + "workerCount": 2 + }, + { + "workerSizeId": 1, + "workerSize": "Small", + "workerCount": 2 + } + ] + } +} +``` + +
-via JSON Parameter file +Bicep format -```json -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-appse-asev2-001" - }, - "kind": { - "value": "ASEv2" - }, - "multiSize": { - "value": "Standard_D1_V2" - }, - "ipsslAddressCount": { - "value": 2 - }, - "clusterSettings": { - "value": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ] - }, - "subnetResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-008" - }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - }, - "diagnosticLogsRetentionInDays": { - "value": 7 - }, - "diagnosticStorageAccountId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" - }, - "diagnosticWorkspaceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" - }, - "diagnosticEventHubName": { - "value": "adp-<>-az-evh-x-001" +```bicep +workerPools: { + workerPools: [ + { + workerSizeId: 0 + workerSize: 'Small' + workerCount: 2 } - } + { + workerSizeId: 1 + workerSize: 'Small' + workerCount: 2 + } + ] } +``` + +workerPools can have two properties workerSize and workerCount: + +
+Parameter JSON format + +```json +"workerSize": { + "type": "string", + "allowedValues": [ + "Small", + "Medium", + "Large", + "ExtraLarge" + ], + "defaultValue": "Small", + "metadata": { + "description": "Instance size for worker pool one. Maps to P1,P2,P3,P4." + } +}, +"workerCount": { + "type": "int", + "defaultValue": 2, + "minValue": 2, + "maxValue": 100, + "metadata": { + "description": "Number of instances in worker pool one. Minimum of two." + } +} ```
-via Bicep module +Bicep format ```bicep -module hostingEnvironments './Microsoft.Web/hostingEnvironments/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-hostingEnvironments' - params: { - name: '<>-az-appse-asev2-001' - kind: 'ASEv2' - multiSize: 'Standard_D1_V2' - ipsslAddressCount: 2 - clusterSettings: [ - { - name: 'DisableTls1.0' - value: '1' - } - ] - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-008' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - '<>' - ] - } +workerSize: { + type: 'string' + allowedValues: [ + 'Small' + 'Medium' + 'Large' + 'ExtraLarge' ] - diagnosticLogsRetentionInDays: 7 - diagnosticStorageAccountId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' - diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' - diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' - diagnosticEventHubName: 'adp-<>-az-evh-x-001' - } + defaultValue: 'Small' + metadata: { + description: 'Instance size for worker pool one. Maps to P1P2P3P4.' + } +} +workerCount: { + type: 'int' + defaultValue: 2 + minValue: 2 + maxValue: 100 + metadata: { + description: 'Number of instances in worker pool one. Minimum of two.' + } +} ```

-

Example 2

+## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the app service environment. | +| `resourceGroupName` | string | The resource group the app service environment was deployed into. | +| `resourceId` | string | The resource ID of the app service environment. | + +## Deployment examples + +

Example 1

@@ -315,10 +294,7 @@ module hostingEnvironments './Microsoft.Web/hostingEnvironments/deploy.bicep' = "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-appse-asev3-001" - }, - "lock": { - "value": "CanNotDelete" + "value": "<>-az-appse-x-001" }, "subnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-006" @@ -336,14 +312,6 @@ module hostingEnvironments './Microsoft.Web/hostingEnvironments/deploy.bicep' = "diagnosticLogsRetentionInDays": { "value": 7 }, - "clusterSettings": { - "value": [ - { - "name": "DisableTls1.0", - "value": "1" - } - ] - }, "diagnosticStorageAccountId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" }, @@ -371,8 +339,7 @@ module hostingEnvironments './Microsoft.Web/hostingEnvironments/deploy.bicep' = module hostingEnvironments './Microsoft.Web/hostingEnvironments/deploy.bicep' = { name: '${uniqueString(deployment().name)}-hostingEnvironments' params: { - name: '<>-az-appse-asev3-001' - lock: 'CanNotDelete' + name: '<>-az-appse-x-001' subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-006' roleAssignments: [ { @@ -383,12 +350,6 @@ module hostingEnvironments './Microsoft.Web/hostingEnvironments/deploy.bicep' = } ] diagnosticLogsRetentionInDays: 7 - clusterSettings: [ - { - name: 'DisableTls1.0' - value: '1' - } - ] diagnosticStorageAccountId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' diff --git a/arm/Microsoft.Web/serverfarms/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep similarity index 98% rename from arm/Microsoft.Web/serverfarms/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep index 459ca0ee20..4ed9754a66 100644 --- a/arm/Microsoft.Web/serverfarms/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep @@ -51,7 +51,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: appServicePlan }] diff --git a/arm/Microsoft.Web/serverfarms/.parameters/parameters.json b/arm/Microsoft.Web/serverfarms/.parameters/parameters.json index 63e6aa9044..2a311c3ec0 100644 --- a/arm/Microsoft.Web/serverfarms/.parameters/parameters.json +++ b/arm/Microsoft.Web/serverfarms/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-asp-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "sku": { "value": { "name": "S1", diff --git a/arm/Microsoft.Web/serverfarms/deploy.bicep b/arm/Microsoft.Web/serverfarms/deploy.bicep index 278a369a95..7dff1b0ad0 100644 --- a/arm/Microsoft.Web/serverfarms/deploy.bicep +++ b/arm/Microsoft.Web/serverfarms/deploy.bicep @@ -43,12 +43,12 @@ param targetWorkerCount int = 0 param targetWorkerSize int = 0 @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -149,16 +149,16 @@ resource appServicePlan_diagnosticSettings 'Microsoft.Insights/diagnosticsetting scope: appServicePlan } -resource appServicePlan_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource appServicePlan_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${appServicePlan.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: appServicePlan } -module appServicePlan_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module appServicePlan_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AppServicePlan-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' diff --git a/arm/Microsoft.Web/serverfarms/readme.md b/arm/Microsoft.Web/serverfarms/readme.md index 37d95f9456..56f8bcda5e 100644 --- a/arm/Microsoft.Web/serverfarms/readme.md +++ b/arm/Microsoft.Web/serverfarms/readme.md @@ -39,7 +39,7 @@ This module deploys an app service plan. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maximumElasticWorkerCount` | int | `1` | | Maximum number of total workers allowed for this ElasticScaleEnabled App Service Plan. | | `perSiteScaling` | bool | `False` | | If true, apps assigned to this App Service plan can be scaled independently. If false, apps assigned to this App Service plan will scale to all instances of the plan. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -212,9 +212,6 @@ tags: { "name": { "value": "<>-az-asp-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "sku": { "value": { "name": "S1", @@ -265,7 +262,6 @@ module serverf './Microsoft.Web/serverf/deploy.bicep' = { name: '${uniqueString(deployment().name)}-serverf' params: { name: '<>-az-asp-x-001' - lock: 'CanNotDelete' sku: { name: 'S1' tier: 'Standard' diff --git a/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..517bc60383 --- /dev/null +++ b/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,49 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: contains(privateEndpointObj, 'name') ? (!empty(privateEndpointObj.name) ? privateEndpointObj.name : '${privateEndpointResourceName}-${privateEndpointObj.service}') : '${privateEndpointResourceName}-${privateEndpointObj.service}' + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (!empty(privateEndpointObj.privateDnsZoneResourceIds) ? privateEndpointObj.privateDnsZoneResourceIds : []) : [] + customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (!empty(privateEndpointObj.customDnsConfigs) ? privateEndpointObj.customDnsConfigs : null) : null +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint.name}/default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } +} diff --git a/arm/Microsoft.Web/sites/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Web/sites/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep index ff31a44080..e5f83a9cd4 100644 --- a/arm/Microsoft.Web/sites/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep @@ -49,7 +49,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: app }] diff --git a/arm/Microsoft.Web/sites/.parameters/fa.parameters.json b/arm/Microsoft.Web/sites/.parameters/fa.parameters.json index e67fc9f53e..babf8b85f2 100644 --- a/arm/Microsoft.Web/sites/.parameters/fa.parameters.json +++ b/arm/Microsoft.Web/sites/.parameters/fa.parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-fa-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "kind": { "value": "functionapp" }, @@ -133,14 +130,6 @@ }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "sites" - } - ] } } } diff --git a/arm/Microsoft.Web/sites/.parameters/wa.min.parameters.json b/arm/Microsoft.Web/sites/.parameters/wa.min.parameters.json index 588beef102..73cc95e2f9 100644 --- a/arm/Microsoft.Web/sites/.parameters/wa.min.parameters.json +++ b/arm/Microsoft.Web/sites/.parameters/wa.min.parameters.json @@ -10,6 +10,6 @@ }, "serverFarmResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Web/serverFarms/adp-<>-az-asp-x-001" - } + }, } } diff --git a/arm/Microsoft.Web/sites/.parameters/wa.parameters.json b/arm/Microsoft.Web/sites/.parameters/wa.parameters.json index 75ea5f8f00..1816b99cbf 100644 --- a/arm/Microsoft.Web/sites/.parameters/wa.parameters.json +++ b/arm/Microsoft.Web/sites/.parameters/wa.parameters.json @@ -57,14 +57,6 @@ }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "sites" - } - ] } } } diff --git a/arm/Microsoft.Web/sites/deploy.bicep b/arm/Microsoft.Web/sites/deploy.bicep index 55db6c425d..bcc17125e1 100644 --- a/arm/Microsoft.Web/sites/deploy.bicep +++ b/arm/Microsoft.Web/sites/deploy.bicep @@ -61,12 +61,12 @@ param authSettingV2Configuration object = {} // Lock @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' // Private Endpoints @description('Optional. Configuration details for private endpoints.') @@ -163,7 +163,7 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false // =========== // // Deployments // @@ -208,7 +208,7 @@ module app_appsettings 'config-appsettings/deploy.bicep' = if (!empty(appSetting appInsightId: appInsightId setAzureWebJobsDashboard: setAzureWebJobsDashboard appSettingsKeyValuePairs: appSettingsKeyValuePairs - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } @@ -218,14 +218,14 @@ module app_authsettingsv2 'config-authsettingsv2/deploy.bicep' = if (!empty(auth appName: app.name kind: kind authSettingV2Configuration: authSettingV2Configuration - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry } } -resource app_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource app_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${app.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: app @@ -244,7 +244,7 @@ resource app_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-0 scope: app } -module app_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module app_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Site-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' @@ -255,23 +255,13 @@ module app_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, in } }] -module app_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Site-PrivateEndpoint-${index}' +module app_privateEndpoint '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-Site-PrivateEndpoints-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(app.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: app.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: app.id + privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + privateEndpointObj: privateEndpoint + tags: tags } }] diff --git a/arm/Microsoft.Web/sites/readme.md b/arm/Microsoft.Web/sites/readme.md index 41ce95d629..82fc3f41aa 100644 --- a/arm/Microsoft.Web/sites/readme.md +++ b/arm/Microsoft.Web/sites/readme.md @@ -48,7 +48,7 @@ This module deploys a web or function app. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `httpsOnly` | bool | `True` | | Configures a site to accept only HTTPS requests. Issues redirect for HTTP requests. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `serverFarmResourceId` | string | `''` | | The resource ID of the app service plan to use for the site. | @@ -458,9 +458,6 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { "name": { "value": "<>-az-fa-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "kind": { "value": "functionapp" }, @@ -586,14 +583,6 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "sites" - } - ] } } } @@ -611,7 +600,6 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { name: '${uniqueString(deployment().name)}-sites' params: { name: '<>-az-fa-x-001' - lock: 'CanNotDelete' kind: 'functionapp' serverFarmResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Web/serverFarms/adp-<>-az-asp-x-001' siteConfig: { @@ -706,12 +694,6 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' diagnosticEventHubName: 'adp-<>-az-evh-x-001' - privateEndpoints: [ - { - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' - service: 'sites' - } - ] } ``` @@ -737,7 +719,7 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { }, "serverFarmResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Web/serverFarms/adp-<>-az-asp-x-001" - } + }, } } @@ -828,14 +810,6 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" - }, - "privateEndpoints": { - "value": [ - { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", - "service": "sites" - } - ] } } } @@ -882,12 +856,6 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' diagnosticEventHubName: 'adp-<>-az-evh-x-001' - privateEndpoints: [ - { - subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' - service: 'sites' - } - ] } ``` diff --git a/arm/Microsoft.Web/staticSites/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Web/staticSites/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..517bc60383 --- /dev/null +++ b/arm/Microsoft.Web/staticSites/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,49 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: contains(privateEndpointObj, 'name') ? (!empty(privateEndpointObj.name) ? privateEndpointObj.name : '${privateEndpointResourceName}-${privateEndpointObj.service}') : '${privateEndpointResourceName}-${privateEndpointObj.service}' + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (!empty(privateEndpointObj.privateDnsZoneResourceIds) ? privateEndpointObj.privateDnsZoneResourceIds : []) : [] + customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (!empty(privateEndpointObj.customDnsConfigs) ? privateEndpointObj.customDnsConfigs : null) : null +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint.name}/default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } +} diff --git a/arm/Microsoft.Web/staticSites/.bicep/nested_roleAssignments.bicep b/arm/Microsoft.Web/staticSites/.bicep/nested_rbac.bicep similarity index 97% rename from arm/Microsoft.Web/staticSites/.bicep/nested_roleAssignments.bicep rename to arm/Microsoft.Web/staticSites/.bicep/nested_rbac.bicep index d8c01ae5d9..d05dc3a574 100644 --- a/arm/Microsoft.Web/staticSites/.bicep/nested_roleAssignments.bicep +++ b/arm/Microsoft.Web/staticSites/.bicep/nested_rbac.bicep @@ -28,7 +28,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev properties: { roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: staticSite }] diff --git a/arm/Microsoft.Web/staticSites/.parameters/parameters.json b/arm/Microsoft.Web/staticSites/.parameters/parameters.json index 68d8697715..46d43ca75f 100644 --- a/arm/Microsoft.Web/staticSites/.parameters/parameters.json +++ b/arm/Microsoft.Web/staticSites/.parameters/parameters.json @@ -5,9 +5,6 @@ "name": { "value": "<>-az-wss-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "sku": { "value": "Standard" }, diff --git a/arm/Microsoft.Web/staticSites/deploy.bicep b/arm/Microsoft.Web/staticSites/deploy.bicep index 382741ee17..d88a15ca27 100644 --- a/arm/Microsoft.Web/staticSites/deploy.bicep +++ b/arm/Microsoft.Web/staticSites/deploy.bicep @@ -58,12 +58,12 @@ param systemAssignedIdentity bool = false param userAssignedIdentities object = {} @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Configuration details for private endpoints.') param privateEndpoints array = [] @@ -77,8 +77,6 @@ param enableDefaultTelemetry bool = true @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -var enableReferencedModulesTelemetry = false - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -120,16 +118,16 @@ resource staticSite 'Microsoft.Web/staticSites@2021-03-01' = { } } -resource staticSite_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource staticSite_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${staticSite.name}-${lock}-lock' properties: { - level: any(lock) + level: lock notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: staticSite } -module staticSite_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module staticSite_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-StaticSite-Rbac-${index}' params: { principalIds: roleAssignment.principalIds @@ -138,23 +136,13 @@ module staticSite_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignm } }] -module staticSite_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-StaticSite-PrivateEndpoint-${index}' +module staticSite_privateEndpoint '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-StaticSite-PrivateEndpoints-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(staticSite.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: staticSite.id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: staticSite.id + privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + privateEndpointObj: privateEndpoint + tags: tags } }] diff --git a/arm/Microsoft.Web/staticSites/readme.md b/arm/Microsoft.Web/staticSites/readme.md index 50a91d2f83..03e40547ac 100644 --- a/arm/Microsoft.Web/staticSites/readme.md +++ b/arm/Microsoft.Web/staticSites/readme.md @@ -35,7 +35,7 @@ This module deploys a Static Web Site. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `enterpriseGradeCdnStatus` | string | `'Disabled'` | `[Disabled, Disabling, Enabled, Enabling]` | State indicating the status of the enterprise grade CDN serving traffic to the static web app. | | `location` | string | `[resourceGroup().location]` | | Location to deploy static site. The following locations are supported: CentralUS, EastUS2, EastAsia, WestEurope, WestUS2. | -| `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | +| `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. | | `provider` | string | `'None'` | | The provider that submitted the last deployment to the primary environment of the static site. | | `repositoryToken` | secureString | `''` | | The Personal Access Token for accessing the GitHub repo. | @@ -321,9 +321,6 @@ module staticSites './Microsoft.Web/staticSites/deploy.bicep' = { "name": { "value": "<>-az-wss-x-001" }, - "lock": { - "value": "CanNotDelete" - }, "sku": { "value": "Standard" }, @@ -378,7 +375,6 @@ module staticSites './Microsoft.Web/staticSites/deploy.bicep' = { name: '${uniqueString(deployment().name)}-staticSites' params: { name: '<>-az-wss-x-001' - lock: 'CanNotDelete' sku: 'Standard' stagingEnvironmentPolicy: 'Enabled' allowConfigFileUpdates: true diff --git a/arm/README.md b/arm/README.md index 6be8a65948..fd8a96cd63 100644 --- a/arm/README.md +++ b/arm/README.md @@ -31,7 +31,6 @@ In this section you can find useful information regarding the Modules that are c | [Azure Kubernetes Services](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ContainerService/managedClusters) | `MS.ContainerService` | [managedClusters](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ContainerService/managedClusters) | | [Azure Databricks](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Databricks/workspaces) | `MS.Databricks` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Databricks/workspaces) | | [Data Factories](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DataFactory/factories) | `MS.DataFactory` | [factories](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DataFactory/factories) | -| [DataProtection BackupVaults](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DataProtection/backupVaults) | `MS.DataProtection` | [backupVaults](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DataProtection/backupVaults) | | [AVD Application Groups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DesktopVirtualization/applicationgroups) | `MS.DesktopVirtualization` | [applicationgroups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DesktopVirtualization/applicationgroups) | | [AVD Host Pools](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DesktopVirtualization/hostpools) | | [hostpools](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DesktopVirtualization/hostpools) | | [AVD Scaling Plans](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DesktopVirtualization/scalingplans) | | [scalingplans](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.DesktopVirtualization/scalingplans) | @@ -86,7 +85,6 @@ In this section you can find useful information regarding the Modules that are c | [VPN Gateways](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/vpnGateways) | | [vpnGateways](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/vpnGateways) | | [VPN Sites](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/vpnSites) | | [vpnSites](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/vpnSites) | | [Log Analytics Workspaces](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.OperationalInsights/workspaces) | `MS.OperationalInsights` | [workspaces](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.OperationalInsights/workspaces) | -| [OperationsManagement Solutions](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.OperationsManagement/solutions) | `MS.OperationsManagement` | [solutions](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.OperationsManagement/solutions) | | [Recovery Services Vaults](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.RecoveryServices/vaults) | `MS.RecoveryServices` | [vaults](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.RecoveryServices/vaults) | | [Deployment Scripts](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Resources/deploymentScripts) | `MS.Resources` | [deploymentScripts](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Resources/deploymentScripts) | | [Resource Groups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Resources/resourceGroups) | | [resourceGroups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Resources/resourceGroups) | diff --git a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_roleAssignments.bicep b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep similarity index 100% rename from constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_roleAssignments.bicep rename to constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/.bicep/nested_rbac.bicep diff --git a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/deploy.bicep b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/deploy.bicep index 0fbe0c0688..420aeee2f2 100644 --- a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/deploy.bicep +++ b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/deploy.bicep @@ -30,7 +30,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -module nested_role_assignments_mg '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module nested_rbac_mg '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: 'roleAssignment-mg-${guid(roleAssignment.roleDefinitionIdOrName)}-${index}' params: { principalIds: roleAssignment.principalIds @@ -40,7 +40,7 @@ module nested_role_assignments_mg '.bicep/nested_roleAssignments.bicep' = [for ( } }] -module nested_role_assignments_sub '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module nested_rbac_sub '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: 'roleAssignment-sub-${guid(roleAssignment.roleDefinitionIdOrName)}-${index}' params: { principalIds: roleAssignment.principalIds @@ -50,7 +50,7 @@ module nested_role_assignments_sub '.bicep/nested_roleAssignments.bicep' = [for } }] -module nested_role_assignments_rg '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module nested_rbac_rg '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: 'roleAssignment-rg-${guid(roleAssignment.roleDefinitionIdOrName)}-${index}' params: { principalIds: roleAssignment.principalIds @@ -62,7 +62,7 @@ module nested_role_assignments_rg '.bicep/nested_roleAssignments.bicep' = [for ( }] @description('The scope of the deployed role assignments.') -output roleAssignmentScope string = !empty(managementGroupId) ? nested_role_assignments_mg[0].outputs.roleAssignmentScope : (!empty(resourceGroupName) ? nested_role_assignments_rg[0].outputs.roleAssignmentScope : nested_role_assignments_sub[0].outputs.roleAssignmentScope) +output roleAssignmentScope string = !empty(managementGroupId) ? nested_rbac_mg[0].outputs.roleAssignmentScope : (!empty(resourceGroupName) ? nested_rbac_rg[0].outputs.roleAssignmentScope : nested_rbac_sub[0].outputs.roleAssignmentScope) @description('The names of the deployed role assignments.') output roleAssignments array = roleAssignments diff --git a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md index 33de0faaef..9d53d19b2f 100644 --- a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md +++ b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md @@ -27,7 +27,6 @@ This module deploys Role Assignments. | `roleAssignments` | array | `[]` | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `subscriptionId` | string | `''` | Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | - ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. diff --git a/constructs/Microsoft.Compute/virtualMachinesMultiple/deploy.bicep b/constructs/Microsoft.Compute/virtualMachinesMultiple/deploy.bicep index f35a53e0c0..5d87b099e5 100644 --- a/constructs/Microsoft.Compute/virtualMachinesMultiple/deploy.bicep +++ b/constructs/Microsoft.Compute/virtualMachinesMultiple/deploy.bicep @@ -247,12 +247,12 @@ param diagnosticEventHubAuthorizationRuleId string = '' param diagnosticEventHubName string = '' @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -260,6 +260,9 @@ param roleAssignments array = [] @description('Optional. Tags of the resource.') param tags object = {} +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + @description('Generated. Do not provide a value! This date value is used to generate a registration token.') param baseTime string = utcNow('u') @@ -292,13 +295,13 @@ param additionalUnattendContent array = [] param winRM object = {} @description('Optional. Any VM configuration profile assignments.') -param configurationProfileAssignments string = '' +param configurationProfileAssignments array = [] var vmGeneratedNames = [for instance in range(0, vmNumberOfInstances): '${vmNamePrefix}${padLeft((instance + vmInitialNumber), 3, '0')}'] var vmNamesToApply = !empty(vmNames) ? vmNames : vmGeneratedNames -var enableReferencedModulesTelemetry = false +var enableChildTelemetry = false module virtualMachine '../../../arm/Microsoft.Compute/virtualMachines/deploy.bicep' = [for (vmName, index) in vmNamesToApply: { name: '${deployment().name}-vm-${index}' @@ -321,7 +324,7 @@ module virtualMachine '../../../arm/Microsoft.Compute/virtualMachines/deploy.bic bootDiagnosticStorageAccountName: bootDiagnosticStorageAccountName bootDiagnosticStorageAccountUri: bootDiagnosticStorageAccountUri certificatesToBeInstalled: certificatesToBeInstalled - configurationProfile: configurationProfileAssignments + configurationProfileAssignments: configurationProfileAssignments customData: customData dataDisks: dataDisks dedicatedHostId: dedicatedHostId @@ -332,7 +335,7 @@ module virtualMachine '../../../arm/Microsoft.Compute/virtualMachines/deploy.bic diagnosticWorkspaceId: diagnosticWorkspaceId disablePasswordAuthentication: disablePasswordAuthentication enableAutomaticUpdates: enableAutomaticUpdates - enableDefaultTelemetry: enableReferencedModulesTelemetry + enableDefaultTelemetry: enableChildTelemetry enableEvictionPolicy: enableEvictionPolicy enableServerSideEncryption: enableServerSideEncryption encryptionAtHost: encryptionAtHost diff --git a/docs/wiki/Getting started - Get module cross-references.md b/docs/wiki/Getting started - Get module cross-references.md deleted file mode 100644 index 01a521d98b..0000000000 --- a/docs/wiki/Getting started - Get module cross-references.md +++ /dev/null @@ -1,102 +0,0 @@ -The `'Get-LinkedLocalModuleList'` function provides you with the capability to check for any local module references in a given path. This can be useful to determine which modules folder you'd need if you don't want to keep the entire library. - ---- - -### _Navigation_ - -- [Location](#location) -- [How it works](#what-it-does) -- [How to use it](#how-to-use-it) -- [Related function: _Get-LinkedModuleList_](#related-function-get-linkedmodulelist) - ---- -# Location - -You can find the script under `'utilities/tools/Get-LinkedLocalModuleList.ps1'` - -# How it works - -When invoking the script: - -1. The function leverages the utility [Get-LinkedModuleList](#related-function-get-linkedmodulelist) to fetch all references implemented in the modules in a given path -1. The function filters these references down to only local references (i.e. cross-module references) and formats them to show a consistent '\/\' format. -1. Finally, it prints the references to the invoking terminal, group by ResourceType. - -# How to use it - -> **Note:** The script must be loaded before the function can be invoked - -For details on how to use the function please refer to the script's local documentation. - -## Example output - -```PowerShell -VERBOSE: The modules in path [ResourceModules\arm] have the following local folder dependencies: -VERBOSE: -VERBOSE: Resource: Microsoft.ApiManagement/service -VERBOSE: - Microsoft.ApiManagement/authorizationServers -VERBOSE: -VERBOSE: Resource: Microsoft.ContainerRegistry/registries -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.Web/sites -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.EventHub/namespaces -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.MachineLearningServices/workspaces -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.Network/bastionHosts -VERBOSE: - Microsoft.Network/publicIPAddresses -VERBOSE: -VERBOSE: Resource: Microsoft.Sql/servers -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.Insights/privateLinkScopes -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.Web/staticSites -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.Storage/storageAccounts -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.Automation/automationAccounts -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.ServiceBus/namespaces -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.Compute/virtualMachines -VERBOSE: - Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems -VERBOSE: - Microsoft.Network/publicIPAddresses -VERBOSE: - Microsoft.Network/networkInterfaces -VERBOSE: -VERBOSE: Resource: Microsoft.CognitiveServices/accounts -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.Synapse/privateLinkHubs -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.AppConfiguration/configurationStores -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.EventGrid/topics -VERBOSE: - Microsoft.Network/privateEndpoints -VERBOSE: -VERBOSE: Resource: Microsoft.KeyVault/vaults -VERBOSE: - Microsoft.Network/privateEndpoints -``` - -# Related function: _Get-LinkedModuleList_ - -The function `'Get-LinkedModuleList'` (also in path `'utilities/tools'`) is leveraged by the `'Get-LinkedLocalModuleList'` function, but can also be invoked on its own. You can use it to get an overview of all references implemented in any module in a given path. This includes: -- Resource deployments -- Cross-Module references -- Remove-Module references (e.g., Bicep Registry) - -> **Note:** The script must be loaded before the function can be invoked - -For details on how to use the function please refer to the script's local documentation. diff --git a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md index 63c1784079..6238aec25a 100644 --- a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md @@ -31,8 +31,6 @@ Next you'll want to create your own copy of the code. Depending on the repositor > **Note:** Whether you chose GitHub or Azure DevOps as your repository's environment does not affect your options when registering the pipelines. -> **Note:** If you don't want to use all modules, you can remove those that should not be part of your library. However, when doing so, make sure you use the utility [`Get-LinkedLocalModuleList`](./Getting%20started%20-%20Get%20module%20cross-references) to check for any cross-module references. For example, you may find that when you'd remove the 'Microsoft.Network/privateEndpoints', that it is still referenced by some of the modules you may want to use (for example 'Microsoft.KeyVault/vaults'). In those cases, make sure to not accidently delete required references. -
GitHub Repository @@ -119,7 +117,6 @@ For _GitHub_, you have to perform the following environment-specific steps: - [3.2.1 Setup secrets](#321-setup-secrets) - [3.2.2 Setup variables file](#322-setup-variables-file) - [3.2.3 Enable actions](#323-enable-actions) -- [3.2.4 Set R/W Workflow permissions](#324-set-rw-workflow-permissions) ### 3.2.1 Setup secrets @@ -218,19 +215,6 @@ To do so, perform the following steps: Enable Actions - -### 3.2.4 Set R/W Workflow permissions - -To let the worflow engine publish their results into your repository, you have to enable the read / write access for the github actions. - -1. Navigate to the `Settings` tab on the top of your repository page. - -1. Within the section `Code and automation` click on `Actions` and `General` - -1. Make sure to enable `Read and write permissions` - - Workflow Permissions -

diff --git a/docs/wiki/Solution creation.md b/docs/wiki/Solution creation.md index a2de168827..20c360e8e3 100644 --- a/docs/wiki/Solution creation.md +++ b/docs/wiki/Solution creation.md @@ -2,30 +2,25 @@ This section shows you how you can orchestrate a deployment using multiple resource modules. -> **Note:** For the sake of any of the below examples we assume you leverage Bicep as your primary DSL. - --- ### _Navigation_ -- [Upstream workloads](#upstream-workloads) - [Orchestration overview](#orchestration-overview) - [Template orchestration](#template-orchestration) - - [How to start](#how-to-start) - - [Examples](#examples) + - [Example with local file references](#example-with-local-file-references) + - [Example with a Private Bicep Registry](#example-with-a-Private-Bicep-Registry) + - [Example with template-specs](#example-with-template-specs) - [Pipeline orchestration](#pipeline-orchestration) + - [\[GitHub\] Sample solution for multi-repository approach](#github-sample-solution-for-multi-repository-approach) + - [Summary](#summary) + - [Repo structure](#repo-structure) + - [YAML pipeline](#yaml-pipeline) + - [Notes](#notes) --- -# Upstream workloads - -There are several open-source repositories that leverage the CARML library today. Alongside the examples we provide you with below, the referenced repositories are a good reference on how you can leverage CARML for larger solutions. - -| Repository | Description | -| - | - | -| [AVD Accelerator](https://github.com/Azure/avdaccelerator) | AVD Accelerator deployment automation to simplify the setup of AVD (Azure Virtual Desktop) | -| [AKS Baseline Automation](https://github.com/Azure/aks-baseline-automation) | Repository for the AKS Landing Zone Accelerator program's Automation reference implementation | -| [DevOps Self-Hosted](https://github.com/Azure/DevOps-Self-Hosted) | - Create & maintain images with a pipeline using the Azure Image Builder service

- Deploy & maintain Azure DevOps Self-Hosted agent pools with a pipeline using Virtual Machine Scale Set| +> **Note:** For the sake of the below examples we assume you leverage Bicep as your primary DSL. # Orchestration overview @@ -48,23 +43,7 @@ With this approach, modules need to be stored in an available location, where th In an enterprise environment, the recommended approach is to store these templates in a private environment, only accessible by enterprise resources. Thus, only trusted authorities can have access to these files. -## How to start - -Once you start building a solution using this library you may wonder how best to start. Following you can find some points that can accelerate your experience: - -- Use the [VS-Code extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep) for Bicep to enable DSL-native features such as auto-complete. Metadata implemented in our modules are automatically loaded through the extension. -- Use the readme - - If you don't know how to use an object/array parameter you can check if the module's ReadMe file specifies any 'Parameter Usage' block for set parameter ([example](https://github.com/Azure/ResourceModules/blob/main/arm/Microsoft.AnalysisServices/servers/readme.md#parameter-usage-tags)) - or - check the module's `Deployment Examples` ([example](https://github.com/Azure/ResourceModules/blob/main/arm/Microsoft.AnalysisServices/servers/readme.md#deployment-examples)). - - In general, take note of the `Deployment Examples` specified in each module's ReadMe file as they provide you with rich & tested examples of how set module can be deployed ([example](https://github.com/Azure/ResourceModules/blob/main/arm/Microsoft.AnalysisServices/servers/readme.md#deployment-examples)). An easy way to get started is to copy one of the examples and then adjust to it your needs. -- Note the outputs that are returned by each module. - - If an output you need isn't available, you have 2 choices: - 1. Add the missing output to the module - 1. Reference the deployed resource using the `existing` keyword (Note: You cannot reference the same resource as both a new deployment & `existing`. To make this work, you have to move the `existing` reference into it's own `.bicep` file). - -## Examples - -

-Referencing local files +## ***Example with local file references*** The following example shows how you could orchestrate a deployment of multiple resources using local module references. In this example we will deploy a resource group with a contained NSG and use the same in a subsequent VNET deployment. @@ -150,10 +129,7 @@ module vnet '../arm/Microsoft.Network/virtualNetworks/deploy.bicep' = { } ``` -
- -
-Referencing a Private Bicep Registry +## ***Example with a Private Bicep Registry*** The following example shows how you could orchestrate a deployment of multiple resources using modules from a private Bicep Registry. In this example we will deploy a resource group with a contained NSG and use the same in a subsequent VNET deployment. @@ -256,10 +232,7 @@ The example assumes you are using a [`bicepconfig.json`](https://docs.microsoft. } ``` -
- -
-Referencing Template-Specs +## ***Example with template-specs*** The following example shows how you could orchestrate a deployment of multiple resources using template specs. In this example we will deploy a NSG and use the same in a subsequent VNET deployment. @@ -362,15 +335,11 @@ The example assumes you are using a [`bicepconfig.json`](https://docs.microsoft. } ``` -
-

- # Pipeline-orchestration The modules provided by this repo can be orchestrated to create more complex infrastructures and as such reusable solutions or products. This approach leverages the main 'ResourceModules' repository alongside its contained modules & pipeline templates to deploy resources. Each pipeline job deploys one instance of a resources and their order is controlled by specifying dependencies in the pipeline itself. -

-[GitHub] Sample solution for multi-repository approach +## ***[GitHub] Sample solution for multi-repository approach*** ### Summary @@ -391,7 +360,7 @@ The modules provided by this repo can be orchestrated to create more complex inf ### YAML pipeline -```YAML +``` YAML name: 'Multi-Repo solution deployment' on: @@ -468,5 +437,3 @@ jobs: > 1. 'Azure/ResourceModules' repo has been checked out at the root location intentionally because GitHub Actions expect the underlying utility scripts and variables at a specific location > 1. 'contoso/MultiRepoTest' repo has been checked out in a nested folder called as "MultiRepoTestParentFolder" to distinguish it from the folders from the other repo in the agent but can be downloaded at the root location too if desired - -
diff --git a/docs/wiki/The CI environment - Deployment validation.md b/docs/wiki/The CI environment - Deployment validation.md index 4bd9612953..454989fa60 100644 --- a/docs/wiki/The CI environment - Deployment validation.md +++ b/docs/wiki/The CI environment - Deployment validation.md @@ -57,7 +57,7 @@ The removal process will remove all resources created by the deployment. The lis 1. Recursively fetching the list of resource IDs created in the deployment (identified via the used deployment name). 1. Ordering the list based on resource IDs segment count (ensures child resources are removed first. E.g. `storageAccount/blobServices` comes before `storageAccount` as it has one more segments delimited by `/`). 1. Filtering out resources used as dependencies for different modules from the list (e.g. the commonly used Log Analytics workspace). -1. Moving specific resource types to the top of the list (if a certain order is required). For example `diagnosticSettings` need to be removed before the resource to which they are applied, even though they are no child-resources. +1. Moving specific resource types to the top of the list (if a certain order is required). For example `vWAN` requires its `Virtual Hubs` to be removed first, even though they are no child-resources. After a resource is removed (this happens after each resource in the list), the script will execute, if defined, a **post removal operation**. This can be used for those resource types that requires a post-processing, like purging a soft-deleted key vault. @@ -74,12 +74,12 @@ This paragraph is intended for CARML contributors who want to add a new module t The default removal procedure works for most of the modules. As such it is unlikely you'll have to change anything to enable your new module for removal post-deployment. However, if you need to, you can define a custom removal procedure by: -1. Influencing the **order** in which resources are removed by prioritizing specific resource types. - > **Example** _Diagnostic settings_ need to be removed before the resource to which they are applied. -1. Defining a **custom removal** action to remove a resource of a _specific resource type_. - > **Example** A _Recovery Services Vault_ resource requires some protected items to be identified and removed before the vault itself can be removed. -1. Defining a **custom post-removal** action to be run after removing a resource of a _specific resource type_. - > **Example** A _Key Vault_ resource needs to be purged when soft deletion is enforced. +1. influencing the **order** in which resources are removed by prioritizing specific resource types + > **Example** Removing a _Virtual WAN_ resource requires related resources to be deleted in a specific order +1. defining a **custom removal action** to remove a resource of a _specific resource type_ + > **Example** A _Recovery Services Vault_ resource requires some protected items to be identified and removed before the vault itself can be removed +1. defining a custom **post-removal action** to be run after removing a resource of a _specific resource type_ + > **Example** A _Key Vault_ resource needs to be purged when soft deletion is enforced Those methods can be combined independently. @@ -96,7 +96,7 @@ To define a **custom removal** action: 1. Add a case value that matches the resource type you want to customize the removal action for 1. In the case block, define the resource-type-specific removal action -To add a **custom post-removal** step: +To add a **post-removal** step: 1. Open the `/utilities/pipelines/resourceRemoval/helper/Invoke-ResourcePostRemoval.ps1` file. 1. Look for the following comment: `### CODE LOCATION: Add custom post-removal operation here` 1. Add a case value that matches the resource type you want to add a post-removal operation for diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md index 12eb50a27d..28879c9d48 100644 --- a/docs/wiki/The library - Module design.md +++ b/docs/wiki/The library - Module design.md @@ -6,16 +6,13 @@ This section details the design principles followed by the CARML Bicep modules. - [General guidelines](#general-guidelines) - [File & folder structure](#file--folder-structure) - - [Structure](#structure) - - [**Child-Resources**](#child-resources) - [Naming](#naming) + - [Structure](#structure) - [Patterns](#patterns) - [Bicep template guidelines](#bicep-template-guidelines) - [Parameters](#parameters) - [Variables](#variables) - - [Resources](#resources) - - [Modules](#modules) - - [Deployment names](#deployment-names) + - [Resource](#resource) - [Outputs](#outputs) - [ReadMe](#readme) - [Parameter files](#parameter-files) @@ -94,25 +91,29 @@ module server_databases 'databases/deploy.bicep' = [for (database, index) in dat Use the following naming standard for module files and folders: - Module folders are in camelCase and their name reflects the main resource type of the Bicep module they are hosting (e.g. `storageAccounts`, `virtualMachines`). -- Extension resource modules are placed in the `.bicep` subfolder and named `nested_.bicep` +- Cross-referenced and extension resource modules are placed in the `.bicep` subfolder and named `nested_.bicep` ``` txt Microsoft. └─ ├─ .bicep - | ├─ nested_extensionResource1.bicep + | ├─ nested_crossReferencedResource1.bicep + | └─ nested_crossReferencedResource2.bicep ├─ .parameters | └─ parameters.json ├─ deploy.bicep └─ readme.md ``` - >**Example**: `nested_roleAssignments.bicep` in the `Microsoft.Web\sites\.bicep` folder contains the `site` resource RBAC implementation. + >**Example**: `nested_serverfarms.bicep` in the `Microsoft.Web\sites\.bicep` folder contains the cross-referenced `serverfarm` module leveraged by the top level `site` resource. >``` txt >Microsoft.Web >└─ sites > ├─ .bicep - > | └─ nested_roleAssignments.bicep + > | ├─ nested_components.bicep + > | ├─ nested_privateEndpoint.bicep + > | ├─ nested_rbac.bicep + > | └─ nested_serverfarms.bicep > ├─ .parameters > | └─ parameters.json > ├─ deploy.bicep @@ -123,46 +124,35 @@ Use the following naming standard for module files and folders: This section details patterns among extension resources that are usually very similar in their structure among all modules supporting them: -
-Locks +- [Locks](#locks) +- [RBAC](#rbac) +- [Diagnostic Settings](#diagnostic-settings) +- [Private Endpoints](#private-endpoints) + +### Locks The locks extension can be added as a `resource` to the resource template directly. ```bicep @allowed([ - '' 'CanNotDelete' + 'NotSpecified' 'ReadOnly' ]) @description('Optional. Specify the type of lock.') -param lock string = '' +param lock string = 'NotSpecified' -resource _lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource _lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { name: '${.name}-${lock}-lock' properties: { - level: any(lock) - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + level: lock + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: } ``` -> **Note:** How locks are passed to other resource templates depends on the type of module relationship: -> - Child and extension resources -> - Locks are not automatically passed down, as they are inherited by default in Azure -> - The reference of the child/extension template should look similar to: `lock: contains(, 'lock') ? .lock : ''` -> - Using this implementation, a lock is only deployed to the child/extension resource if explicitly specified in the module's parameter file -> - For example, the lock of a Storage Account module is not automatically passed to a Storage Container child-deployment. Instead, the Storage Container resource is automatically locked by Azure together with a locked Storage Account -> - Cross-referenced resources -> - All cross-referenced resources share the lock with the main resource to prevent depending resources to be changed or deleted -> - The reference of the cross-referenced resource template should look similar to: `lock: contains(, 'lock') ? .lock : lock` -> - Using this implementation, a lock of the main resource is implicitly passed to the referenced module template -> - For example, the lock of a Key Vault module is automatically passed to an also deployed Private Endpoint module deployment - -
- -
-RBAC +### RBAC The RBAC deployment has 2 elements to it. A module that contains the implementation, and a module reference in the parent resource - each with it's own loop to enable you to deploy n-amount of role assignments to n-amount of principals. @@ -171,7 +161,7 @@ The RBAC deployment has 2 elements to it. A module that contains the implementat @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] -module _rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { +module _rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${deployment().name}-rbac-${index}' params: { principalIds: roleAssignment.principalIds @@ -181,11 +171,11 @@ module _rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAss }] ``` -#### 2nd Element as nested `.bicep/nested_roleAssignments.bicep` file +#### 2nd Element as nested `.bicep/nested_rbac.bicep` file Here you specify the platform roles available for the main resource. -The `builtInRoleNames` variable contains the list of applicable roles for the specific resource which the `nested_roleAssignments.bicep` template applies. +The `builtInRoleNames` variable contains the list of applicable roles for the specific resource which the `nested_rbac.bicep` template applies. >**Note**: You use the helper script [Get-FormattedRBACRoles.ps1](./Contribution%20guide%20-%20Get%20formatted%20RBAC%20roles) to extract a formatted list of RBAC roles used in the CARML modules based on the RBAC lists in Azure. The element requires you to provide both the `principalIds` & `roleDefinitionOrIdName` to assign to the principal IDs. Also, the `resourceId` is target resource's resource ID that allows us to reference it as an `existing` resource. Note, the implementation of the `split` in the resource reference becomes longer the deeper you go in the child-resource hierarchy. @@ -218,17 +208,13 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev properties: { roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null + principalType: !empty(principalType) ? principalType : null } scope: }] ``` -
- -
-Diagnostic Settings - +### Diagnostic settings The diagnostic settings may differ slightly depending from resource to resource. Most notably, the `` as well as `` may be different and have to be added by you. However, it may just as well be the case they no metrics or no logs are existing. You can then remove the parameter and property from the resource itself. @@ -302,11 +288,7 @@ resource _diagnosticSettings 'Microsoft.Insights/diagnosticsetting } ``` -
- -
-Private Endpoints - +### Private Endpoints The Private Endpoint deployment has 2 elements to it. A module that contains the implementation, and a module reference in the parent resource. The first loops through the endpoints we want to create, the second processes them. @@ -316,29 +298,71 @@ The Private Endpoint deployment has 2 elements to it. A module that contains the @description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] -module _privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}--PrivateEndpoint-${index}' +module _privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-${index}' params: { - groupIds: [ - privateEndpoint.service - ] - name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(.id, '/'))}-${privateEndpoint.service}-${index}' - serviceResourceId: .id - subnetResourceId: privateEndpoint.subnetResourceId - enableDefaultTelemetry: enableReferencedModulesTelemetry - location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock - privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] - roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] - tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} - manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + privateEndpointResourceId: .id + privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + privateEndpointObj: privateEndpoint + tags: tags } }] - ``` -
+#### 2nd Element as nested `.bicep/nested_privateEndpoint.bicep` file + +```bicep +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointObj object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}' + subnetResourceId: privateEndpointObj.subnetResourceId + service: [ + privateEndpointObj.service + ] + privateDnsZoneResourceIds: contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : [] + customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: 'default' + properties: { + privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { + name: last(split(privateDnsZoneResourceId, '/')) + properties: { + privateDnsZoneId: privateDnsZoneResourceId + } + }] + } + parent: privateEndpoint +} +``` --- @@ -427,9 +451,6 @@ Within a bicep file, use the following conventions: - Module symbolic names are in camel_Snake_Case, following the schema `_` e.g. `storageAccount_fileServices`, `virtualMachine_nic`, `resourceGroup_rbac`. - Modules enable you to reuse code from a Bicep file in other Bicep files. As such they're normally leveraged for deploying child resources (e.g. file services in a storage account), cross referenced resources (e.g. network interface in a virtual machine) or extension resources (e.g. role assignment in a resource group). - - When a module requires to deploy a resource whose resource type is outside of the main module's provider namespace, the module of this additional resource is referenced locally. For example, when extending the Key Vault module with Private Endpoints, instead of including in the Key Vault module an ad hoc implementation of a Private Endpoint, the Key Vault directly references the Private Endpoint module (i.e., `module privateEndpoint '../../Microsoft.Network/privateEndpoints/deploy.bicep'`). Major benefits of this implementation are less code duplication, more consistency throughout the module library and allowing the consumer to leverage the full interface provided by the referenced module. - > **Note**: Cross-referencing modules from the local repository creates a dependency for the modules applying this technique on the referenced modules being part of the local repository. Reusing the example from above, the Key Vault module has a dependency on the referenced Private Endpoint module, meaning that the repository from which the Key Vault module is deployed also requires the Private Endpoint module to be present. For this reason, we provide a utility to check for any local module references in a given path. This can be useful to determine which module folders you'd need if you don't want to keep the entire library. For further information on how to use the tool, please refer to the tool-specific [documentation](./Getting started%20-%20Get%20module%20cross-references). - ### Deployment names @@ -455,7 +476,7 @@ While exceptions might be needed, the following guidance should be followed as m ``` > **Example**: for the `roleAssignment` deployment in the key vault `secrets` template > ``` - > module secret_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { + > module secret_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { > name: '${deployment().name}-Rbac-${index}' > ``` diff --git a/docs/wiki/media/SetupEnvironment/workflow_permissions.png b/docs/wiki/media/SetupEnvironment/workflow_permissions.png deleted file mode 100644 index b5a21c72d1..0000000000 Binary files a/docs/wiki/media/SetupEnvironment/workflow_permissions.png and /dev/null differ diff --git a/utilities/pipelines/dependencies/Microsoft.Automation/automationAccounts/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Automation/automationAccounts/parameters/parameters.json index 7feb8576e2..2f53ae1738 100644 --- a/utilities/pipelines/dependencies/Microsoft.Automation/automationAccounts/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Automation/automationAccounts/parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "adp-<>-az-aut-x-001" + "value": "adp-<>-wd-aut-x-001" } } } diff --git a/utilities/pipelines/dependencies/Microsoft.DesktopVirtualization/hostpools/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.DesktopVirtualization/hostpools/parameters/parameters.json index 16c9fa58a6..20b492a84e 100644 --- a/utilities/pipelines/dependencies/Microsoft.DesktopVirtualization/hostpools/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.DesktopVirtualization/hostpools/parameters/parameters.json @@ -48,7 +48,7 @@ } } }, - "validationEnvironment": { + "validationEnviroment": { "value": false } } diff --git a/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/ase.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/ase.parameters.json index c0ce81f215..6321666534 100644 --- a/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/ase.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Network/networkSecurityGroups/parameters/ase.parameters.json @@ -19,19 +19,6 @@ "priority": 1010, "direction": "Inbound" } - }, - { - "name": "AllowPortsForASE2", - "properties": { - "protocol": "*", - "sourcePortRange": "*", - "sourceAddressPrefix": "AppServiceManagement", - "destinationPortRange": "454-455", - "destinationAddressPrefix": "10.0.9.0/24", - "access": "Allow", - "priority": 1020, - "direction": "Inbound" - } } ] } diff --git a/utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/bas.additional.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/bas.additional.parameters.json deleted file mode 100644 index 1ed721df14..0000000000 --- a/utilities/pipelines/dependencies/Microsoft.Network/publicIPAddresses/parameters/bas.additional.parameters.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "adp-<>-az-pip-additional-bas" - }, - "skuName": { - "value": "Standard" - }, - "publicIPAllocationMethod": { - "value": "Static" - } - } -} diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/12.bastion.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/12.bastion.parameters.json deleted file mode 100644 index 9440f7372b..0000000000 --- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/12.bastion.parameters.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "adp-<>-az-vnet-add-bas" - }, - "addressPrefixes": { - "value": [ - "10.1.0.0/16" - ] - }, - "subnets": { - "value": [ - { - "name": "AzureBastionSubnet", // Bastion subnet - "addressPrefix": "10.1.5.0/24", - "networkSecurityGroupId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<>-az-nsg-x-bastion" - } - ] - } - } -} diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/13.bastion.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/13.bastion.parameters.json deleted file mode 100644 index f5b3af775a..0000000000 --- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/13.bastion.parameters.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "adp-<>-az-vnet-custompip-bas" - }, - "addressPrefixes": { - "value": [ - "10.1.0.0/16" - ] - }, - "subnets": { - "value": [ - { - "name": "AzureBastionSubnet", // Bastion subnet - "addressPrefix": "10.1.5.0/24", - "networkSecurityGroupId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<>-az-nsg-x-bastion" - } - ] - } - } -} diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json index d455744dc2..3d5662f556 100644 --- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json @@ -91,33 +91,12 @@ { "name": "<>-az-subnet-x-006", // ASE subnet "addressPrefix": "10.0.7.0/24", - "networkSecurityGroupId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<>-az-nsg-x-ase", - "delegations": [ - { - "name": "ase", - "properties": { - "serviceName": "Microsoft.Web/hostingEnvironments" - } - } - ] + "networkSecurityGroupId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<>-az-nsg-x-ase" }, { "name": "<>-az-subnet-x-007", // APGW subnet "addressPrefix": "10.0.8.0/24", "networkSecurityGroupId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<>-az-nsg-x-apgw" - }, - { - "name": "<>-az-subnet-x-008", // ASE subnet 2 - "addressPrefix": "10.0.9.0/24", - "networkSecurityGroupId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/adp-<>-az-nsg-x-ase", - "delegations": [ - { - "name": "ase", - "properties": { - "serviceName": "Microsoft.Web/hostingEnvironments" - } - } - ] } ] } diff --git a/utilities/pipelines/dependencies/Microsoft.OperationalInsights/workspaces/parameters/sol.parameters.json b/utilities/pipelines/dependencies/Microsoft.OperationalInsights/workspaces/parameters/sol.parameters.json deleted file mode 100644 index d8e7e24346..0000000000 --- a/utilities/pipelines/dependencies/Microsoft.OperationalInsights/workspaces/parameters/sol.parameters.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "adp-<>-az-law-sol-001" - } - } -} diff --git a/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json index 2fc18da584..6a6c15ed6e 100644 --- a/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json @@ -255,8 +255,7 @@ "roleDefinitionIdOrName": "Reader", "principalIds": [ "<>" // The object ID of the deployed MSI. Replaced by the pipeline - ], - "principalType": "ServicePrincipal" + ] } ] } diff --git a/utilities/pipelines/dependencies/Microsoft.Storage/storageAccounts/parameters/fa.parameters.json b/utilities/pipelines/dependencies/Microsoft.Storage/storageAccounts/parameters/fa.parameters.json index 84e04a5686..5d0f3f91f6 100644 --- a/utilities/pipelines/dependencies/Microsoft.Storage/storageAccounts/parameters/fa.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Storage/storageAccounts/parameters/fa.parameters.json @@ -21,4 +21,4 @@ "value": false } } -} +} \ No newline at end of file diff --git a/utilities/pipelines/dependencies/Microsoft.Storage/storageAccounts/parameters/law.parameters.json b/utilities/pipelines/dependencies/Microsoft.Storage/storageAccounts/parameters/law.parameters.json index 382d6a0f1a..78d578e6b6 100644 --- a/utilities/pipelines/dependencies/Microsoft.Storage/storageAccounts/parameters/law.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Storage/storageAccounts/parameters/law.parameters.json @@ -18,4 +18,4 @@ "value": false } } -} +} \ No newline at end of file diff --git a/utilities/pipelines/resourcePublish/Get-ModulesToPublish.ps1 b/utilities/pipelines/resourcePublish/Get-ModulesToPublish.ps1 index 57c18ff75e..689a9534b7 100644 --- a/utilities/pipelines/resourcePublish/Get-ModulesToPublish.ps1 +++ b/utilities/pipelines/resourcePublish/Get-ModulesToPublish.ps1 @@ -79,7 +79,7 @@ This function will search the current directory and all parent directories for a Mandatory. Path to the folder/file that should be searched .EXAMPLE -Find-TemplateFile -Path "C:\Repos\Azure\ResourceModules\arm\Microsoft.Storage\storageAccounts\tableServices\tables\.bicep\nested_roleAssignments.bicep" +Find-TemplateFile -Path "C:\Repos\Azure\ResourceModules\arm\Microsoft.Storage\storageAccounts\tableServices\tables\.bicep\nested_rbac.bicep" Directory: C:\Repos\Azure\ResourceModules\arm\Microsoft.Storage\storageAccounts\tableServices\tables diff --git a/utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1 b/utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1 index c826ed26d9..4ac7bbd16c 100644 --- a/utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/Initialize-DeploymentRemoval.ps1 @@ -60,7 +60,6 @@ function Initialize-DeploymentRemoval { # The initial sequence is a general order-recommendation $removalSequence = @( - 'Microsoft.Authorization/locks', 'Microsoft.Insights/diagnosticSettings', 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups', 'Microsoft.Network/privateEndpoints', @@ -74,19 +73,17 @@ function Initialize-DeploymentRemoval { foreach ($deploymentName in $deploymentNames) { Write-Verbose ('Handling resource removal with deployment name [{0}]' -f $deploymentName) -Verbose - - ### CODE LOCATION: Add custom removal sequence here - ## Add custom module-specific removal sequence following the example below - # switch ($moduleName) { - # '' { # For example: 'virtualWans', 'automationAccounts' - # $removalSequence += @( - # '', # For example: 'Microsoft.Network/vpnSites', 'Microsoft.OperationalInsights/workspaces/linkedServices' - # '', - # '' - # ) - # break - # } - # } + switch ($moduleName) { + 'virtualWans' { + $removalSequence += @( + 'Microsoft.Network/vpnGateways', + 'Microsoft.Network/virtualHubs', + 'Microsoft.Network/vpnSites' + ) + break + } + ### CODE LOCATION: Add custom removal sequence here + } # Invoke removal $inputObject = @{ diff --git a/utilities/pipelines/resourceRemoval/helper/Get-DependencyResourceNameList.ps1 b/utilities/pipelines/resourceRemoval/helper/Get-DependencyResourceNameList.ps1 index adb6c4be12..5d9ac940e9 100644 --- a/utilities/pipelines/resourceRemoval/helper/Get-DependencyResourceNameList.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Get-DependencyResourceNameList.ps1 @@ -43,13 +43,16 @@ function Get-DependencyResourceNameList { } Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) - $ConvertTokensInputs = @{ - Tokens = $tokenMap - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - Verbose = $false + foreach ($parameterFilePath in $parameterFilePaths) { + $ConvertTokensInputs = @{ + FilePath = $parameterFilePath + Tokens = $tokenMap + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + Verbose = $false + } + $null = Convert-TokensInFile @ConvertTokensInputs } - $parameterFilePaths | ForEach-Object { $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $_ } } $dependencyResourceNames = [System.Collections.ArrayList]@() @@ -60,10 +63,5 @@ function Get-DependencyResourceNameList { } } - if ($Settings.parameterFileTokens.localTokens) { - Write-Verbose 'Restoring Tokens' - $parameterFilePaths | ForEach-Object { $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $_ -SwapValueWithName $true } - } - return $dependencyResourceNames } diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index 7735f913a2..1a37997bac 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -39,15 +39,6 @@ function Invoke-ResourceRemoval { } break } - 'Microsoft.Authorization/locks' { - $lockName = ($resourceId -split '/')[-1] - $lockScope = ($resourceId -split '/providers/Microsoft.Authorization/locks')[0] - - $null = Remove-AzResourceLock -LockName $lockName -Scope $lockScope -Force - Write-Verbose "Removed lock [$resourceName]. Waiting 10 seconds for propagation." -Verbose - Start-Sleep 10 - break - } 'Microsoft.KeyVault/vaults/accessPolicies' { Write-Verbose ('Skip resource removal for type [{0}]. Reason: handled by different logic.' -f $type) -Verbose break diff --git a/utilities/pipelines/resourceRemoval/helper/Remove-Deployment.ps1 b/utilities/pipelines/resourceRemoval/helper/Remove-Deployment.ps1 index a5a371e803..f3ed6d5bf2 100644 --- a/utilities/pipelines/resourceRemoval/helper/Remove-Deployment.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Remove-Deployment.ps1 @@ -109,10 +109,6 @@ function Remove-Deployment { [array] $resourcesToRemove = Get-ResourceIdsAsFormattedObjectList -ResourceIds $rawTargetResourceIdsToRemove Write-Verbose ('Total number of deployment target resources after formatting items [{0}]' -f $resourcesToRemove.Count) -Verbose - if ($resourcesToRemove.Count -eq 0) { - return - } - # Filter all dependency resources # =============================== $dependencyResourceNames = Get-DependencyResourceNameList diff --git a/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 b/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 index 8ddcc82d1a..2b5fe9cbf3 100644 --- a/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 +++ b/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 @@ -2,44 +2,38 @@ #region Helper Functions <# -.SYNOPSIS -Installes given PowerShell modules + .SYNOPSIS + Installes given PowerShell modules -.DESCRIPTION -Installes given PowerShell modules + .DESCRIPTION + Installes given PowerShell modules -.PARAMETER Module -Required. Modules to be installed, must be Object -@{ - Name = 'Name' - Version = '1.0.0' # Optional -} + .PARAMETER Module + Modules to be installed, must be Object + @{ + Name = 'Name' + Version = '1.0.0' # Optional + } -.PARAMETER InstalledModule -Optional. Modules that are already installed on the machine. Can be fetched via 'Get-Module -ListAvailable' + .EXAMPLE + Install-CustomModule @{ Name = 'Pester' } C:\Modules -.EXAMPLE -Install-CustomModule @{ Name = 'Pester' } C:\Modules - -Installes pester and saves it to C:\Modules + Installes pester and saves it to C:\Modules #> function Install-CustomModule { [CmdletBinding(SupportsShouldProcess)] Param ( [Parameter(Mandatory = $true)] - [Hashtable] $Module, - - [Parameter(Mandatory = $false)] - [object[]] $InstalledModule = @() + [Hashtable] $Module ) # Remove exsisting module in session - if (Get-Module $Module -ErrorAction 'SilentlyContinue') { + if (Get-Module $Module -ErrorAction SilentlyContinue) { try { Remove-Module $Module -Force } catch { - Write-Error ('Unable to remove module [{0}] because of exception [{1}]. Stack Trace: [{2}]' -f $Module.Name, $_.Exception, $_.ScriptStackTrace) + Write-Error ("Unable to remove module $($Module.Name) : $($_.Exception) found, $($_.ScriptStackTrace)") } } @@ -48,29 +42,18 @@ function Install-CustomModule { name = $Module.Name Repository = 'PSGallery' } - if ($Module.Version) { - $moduleImportInputObject['RequiredVersion'] = $Module.Version + if ($module.Version) { + $moduleImportInputObject['RequiredVersion'] = $module.Version } - - # Get all modules that match a certain name. In case of e.g. 'Az' it returns several. $foundModules = Find-Module @moduleImportInputObject - foreach ($foundModule in $foundModules) { - # Check if already installed as required - if ($alreadyInstalled = $InstalledModule | Where-Object { $_.Name -eq $Module.Name }) { - if ($Module.Version) { - $alreadyInstalled = $alreadyInstalled | Where-Object { $_.Version -eq $Module.Version } - } else { - # Get latest in case of multiple - $alreadyInstalled = ($alreadyInstalled | Sort-Object -Property Version -Descending)[0] - } - Write-Verbose ('Module [{0}] already installed with version [{1}]' -f $alreadyInstalled.Name, $alreadyInstalled.Version) -Verbose + $localModuleVersions = Get-Module $foundModule.Name -ListAvailable + if ($localModuleVersions -and $localModuleVersions.Version -contains $foundModule.Version ) { + Write-Verbose ('Module [{0}] already installed with version [{1}]' -f $foundModule.Name, $foundModule.Version) -Verbose continue } - - # Check if not to be excluded - if ($Module.ExcludeModules -and $Module.excludeModules.contains($foundModule.Name)) { + if ($module.ExcludeModules -and $module.excludeModules.contains($foundModule.Name)) { Write-Verbose ('Module {0} is configured to be ignored.' -f $foundModule.Name) -Verbose continue } @@ -196,38 +179,6 @@ function Set-EnvironmentOnAgent { $count++ } - # MS-hosted agents have pre-installed modules in a specific path. Let's make them discoverable if available. - if ((Test-Path '/usr/share/') -and ((Get-ChildItem -Path '/usr/share/az_*' -Directory).Count -gt 0)) { - $preInstalledModulePaths = Get-ChildItem -Path '/usr/share/az_*' -Directory - $maximumVersionPath = '/usr/share/az_{0}' -f (($preInstalledModulePaths | ForEach-Object { ($_ -split 'az_')[1] }) | ForEach-Object { [version]$_ } | Measure-Object -Maximum ).Maximum - Write-Verbose "Found pre-installed modules in path [$maximumVersionPath]. Adding it PSModulePath environment variable." -Verbose - - if ($IsWindows) { - # Set step module path (process) - $env:PSModulePath += ('{0};{1}' -f $env:PSModulePath, $maximumVersionPath) - # Set job module path (machine) - [Environment]::SetEnvironmentVariable('PSModulePath', ('{0};{1}' -f ([Environment]::GetEnvironmentVariable('PSModulePath', 'Machine')), $maximumVersionPath), 'Machine') - # Set PS-Profile (for non-ps tasks) - if (-not (Test-Path $profile)) { - $null = New-Item -Path $profile -Force - } - Add-Content -Path $profile -Value "`$env:PSModulePath = ('{0};{1}' -f `"`$env:PSModulePath`", '$maximumVersionPath')" - } else { - # Set step module path (process) - $env:PSModulePath += ('{0}:{1}' -f $env:PSModulePath, $maximumVersionPath) - # Set job module path (machine) - [Environment]::SetEnvironmentVariable('PSModulePath', ('{0}:{1}' -f ([Environment]::GetEnvironmentVariable('PSModulePath', 'Machine')), $maximumVersionPath), 'Machine') - # Set PS-Profile (for non-ps tasks) - if (-not (Test-Path $profile)) { - $null = New-Item -Path $profile -Force - } - Add-Content -Path $profile -Value "`$env:PSModulePath = ('{0}:{1}' -f `"`$env:PSModulePath`", '$maximumVersionPath')" - } - } - - # Load already installed modules - $installedModules = Get-Module -ListAvailable - Write-Verbose ('Install-CustomModule start') -Verbose $count = 1 Foreach ($Module in $Modules) { @@ -235,9 +186,8 @@ function Set-EnvironmentOnAgent { Write-Verbose ('HANDLING MODULE [{0}/{1}] [{2}] ' -f $count, $Modules.Count, $Module.Name) -Verbose Write-Verbose ('=====================') -Verbose # Installing New Modules and Removing Old - $null = Install-CustomModule -Module $Module -InstalledModule $installedModules + $null = Install-CustomModule -Module $Module $count++ } - Write-Verbose ('Install-CustomModule end') -Verbose } diff --git a/utilities/tools/AzureDevOps/Register-AzureDevOpsPipeline.ps1 b/utilities/tools/AzureDevOps/Register-AzureDevOpsPipeline.ps1 index 363107c4ed..4c953d0ecb 100644 --- a/utilities/tools/AzureDevOps/Register-AzureDevOpsPipeline.ps1 +++ b/utilities/tools/AzureDevOps/Register-AzureDevOpsPipeline.ps1 @@ -155,8 +155,7 @@ function Register-AzureDevOpsPipeline { $pipelinesArray = @() foreach ($localPipelinePath in $localPipelinePaths) { - $line = (Get-Content -Path $localPipelinePath)[0] - $pipelineName = ($line -split 'name:')[1].Replace("'", '').Trim() + $pipelineName = (Get-Content -Path $localPipelinePath)[0].Split('name:')[1].Replace("'", '').Trim() $pipelinesArray += @{ ProjectName = $ProjectName SourceRepository = $SourceRepository diff --git a/utilities/tools/Get-LinkedLocalModuleList.ps1 b/utilities/tools/Get-LinkedLocalModuleList.ps1 deleted file mode 100644 index 347997b8e9..0000000000 --- a/utilities/tools/Get-LinkedLocalModuleList.ps1 +++ /dev/null @@ -1,80 +0,0 @@ -<# -.SYNOPSIS -Print a list of all local references for the modules in a given path - -.DESCRIPTION -The result will be a list of all modules in the given path alongside their individual references to other modules in the folder structure - -.PARAMETER path -Optional. The path to search in. Defaults to the 'arm' folder - -.EXAMPLE -Get-LinkedLocalModuleList - -Invoke the function with the default path. Prints a list such as: - -> The modules in path [C:\dev\ip\Azure-ResourceModules\ResourceModules\arm] have the following local folder dependencies: -> -> Resource: Microsoft.EventGrid/topics -> - Microsoft.EventGrid/Microsoft.Network/privateEndpoints -> -> Resource: Microsoft.Synapse/privateLinkHubs -> - Microsoft.Synapse/Microsoft.Network/privateEndpoints - -.EXAMPLE -Get-LinkedLocalModuleList -Path './Microsoft.Sql' - -Get only the references of the modules in folder path './Microsoft.Sql' - -> The modules in path [..\..\arm\Microsoft.Sql\] have the following local folder dependencies: -> -> Resource: Microsoft.Sql/servers -> - Microsoft.Sql/Microsoft.Network/privateEndpoints -#> -function Get-LinkedLocalModuleList { - - [CmdletBinding()] - param ( - [Parameter()] - [string] $path = (Join-Path (Split-Path (Split-Path $PSScriptRoot -Parent) -Parent) 'arm') - ) - - # Load used functions - . (Join-Path $PSScriptRoot 'Get-LinkedModuleList.ps1') - - $allReferences = Get-LinkedModuleList -path $path - - $resultSet = @{} - - foreach ($resourceType in $allReferences.Keys) { - $relevantLocalReferences = $allReferences[$resourceType].localPathReferences | Where-Object { $_ -match '^\.\..*$' } - if ($relevantLocalReferences) { - $relevantLocalReferences = $relevantLocalReferences | ForEach-Object { - # remove deploy.bicep - Split-Path $_ -Parent - } | ForEach-Object { - # remove leading path elements - ($_ -replace '\\', '/') -match '^[\.\/]*(.+)$' - } | ForEach-Object { - # We have to differentate the case that the referenced resources is inside or outside the same provider namespace (e.g. '../publicIPAddresses') - if ($matches[1] -like '*/*') { - # Reference outside of namespace - $matches[1] - } else { - # Reference inside of namespace (-> we rebuild the namespace) - '{0}/{1}' -f (Split-Path $resourceType -Parent), $matches[1] - } - } - $resultSet[$resourceType] = $relevantLocalReferences - } - } - - Write-Verbose "The modules in path [$path] have the following local folder dependencies:" -Verbose - foreach ($resourceType in $resultSet.Keys) { - Write-Verbose '' -Verbose - Write-Verbose "Resource: $resourceType" -Verbose - $resultSet[$resourceType] | ForEach-Object { - Write-Verbose "- $_" -Verbose - } - } -} diff --git a/utilities/tools/Get-LinkedModuleList.ps1 b/utilities/tools/Get-LinkedModuleList.ps1 deleted file mode 100644 index 2d6a8608e1..0000000000 --- a/utilities/tools/Get-LinkedModuleList.ps1 +++ /dev/null @@ -1,79 +0,0 @@ -<# -.SYNOPSIS -Get a list of all resource/module references in a given module path - -.DESCRIPTION -As an output you will receive a hashtable that (for each provider namespace) lists the -- Directly deployed resources (e.g. via "resource myDeployment 'Microsoft.(..)/(..)@(..)'") -- Linked local module templates (e.g. via "module myDeployment '../../deploy.bicep'") -- Linked remote module tempaltes (e.g. via "module rg 'br/modules:(..):(..)'") - -.PARAMETER path -Optional. The path to search in. Defaults to the 'arm' folder - -.EXAMPLE -Get-LinkedModuleList - -Invoke the function with the default path. Returns an object such as: -{ - "Microsoft.Compute/availabilitySets": { - "localPathReferences": ".bicep/nested_roleAssignments.bicep", - "remoteReferences": null, - "resourceReferences": [ - "Microsoft.Resources/deployments@2021-04-01", - "Microsoft.Compute/availabilitySets@2021-07-01", - "Microsoft.Authorization/locks@2017-04-01", - "Microsoft.Compute/availabilitySets@2021-04-01", - "Microsoft.Authorization/roleAssignments@2020-10-01-preview" - ] - }, - (...) -} - -.EXAMPLE -Get-LinkedModuleList -path './Microsoft.Sql' - -Get only the references of the modules in folder path './Microsoft.Sql' -#> -function Get-LinkedModuleList { - - [CmdletBinding()] - param ( - [Parameter()] - [string] $path = (Join-Path (Split-Path (Split-Path $PSScriptRoot -Parent) -Parent) 'arm') - ) - - $resultSet = @{} - - # Get all top-level module folders (i.e. one level below 'Microsoft.*') - $topLevelFolderPaths = (Get-ChildItem -Path $path -Recurse -Depth 1 -Directory).FullName - $topLevelFolderPaths = $topLevelFolderPaths | Where-Object { $_ -like '*Microsoft.*' -and (Split-Path $_ -Leaf) -notlike 'Microsoft.*' } - - foreach ($topLevelFolderPath in $topLevelFolderPaths) { - - $moduleTemplatePaths = (Get-ChildItem -Path $topLevelFolderPath -Recurse -Depth 1 -Filter '*.bicep' -File).FullName - - $resourceReferences = [System.Collections.ArrayList]@() - $localPathReferences = [System.Collections.ArrayList]@() - $remoteReferences = [System.Collections.ArrayList]@() - - foreach ($templatePath in $moduleTemplatePaths) { - $content = Get-Content -Path $templatePath - - $resourceReferences += $content | Where-Object { $_ -match "^resource .+ '(.+)' .+$" } | ForEach-Object { $matches[1] } - $localPathReferences += $content | Where-Object { $_ -match "^module .+ '(.+.bicep)' .+$" } | ForEach-Object { $matches[1] } - $remoteReferences += $content | Where-Object { $_ -match "^module .+ '(.+:.+)' .+$" } | ForEach-Object { $matches[1] } - } - - $providerNamespace = Split-Path (Split-Path $topLevelFolderPath -Parent) -Leaf - $resourceType = Split-Path $topLevelFolderPath -Leaf - - $resultSet["$providerNamespace/$resourceType"] = @{ - resourceReferences = $resourceReferences | Select-Object -Unique - localPathReferences = $localPathReferences | Select-Object -Unique - remoteReferences = $remoteReferences | Select-Object -Unique - } - } - - return $resultSet -} diff --git a/utilities/tools/Set-ModuleReadMe.ps1 b/utilities/tools/Set-ModuleReadMe.ps1 index 7131a577f5..46bdd343f6 100644 --- a/utilities/tools/Set-ModuleReadMe.ps1 +++ b/utilities/tools/Set-ModuleReadMe.ps1 @@ -301,10 +301,10 @@ function Set-OutputsSection { <# .SYNOPSIS -Generate 'Deployment examples' for the ReadMe out of the parameter files currently used to test the template +Generate 'Usage Examples' for the ReadMe out of the parameter files currently used to test the template .DESCRIPTION -Generate 'Deployment examples' for the ReadMe out of the parameter files currently used to test the template +Generate 'Usage Examples' for the ReadMe out of the parameter files currently used to test the template .PARAMETER TemplateFileContent Mandatory. The template file content object to crawl data from @@ -414,6 +414,13 @@ function Set-DeploymentExamplesSection { } } + # replace key vault references + foreach ($keyVaultReference in $keyVaultReferences) { + $matchingTuple = $keyVaultReferenceData | Where-Object { $_.parameterName -eq $keyVaultReference } + # kv.getSecret('vmAdminPassword') + $JSONParametersHashTable[$keyVaultReference] = "{0}.getSecret('{1}')" -f $matchingTuple.vaultResourceReference, $matchingTuple.secretName + } + # Handle VALUE references (i.e. remove them) $JSONParameters = (ConvertFrom-Json $contentInJSONFormat -Depth 99).PSObject.properties['parameters'].value $JSONParametersWithoutValue = [ordered]@{} @@ -421,9 +428,7 @@ function Set-DeploymentExamplesSection { if ($parameter.value.PSObject.Properties.name -eq 'value') { $JSONParametersWithoutValue[$parameter.name] = $parameter.value.PSObject.Properties['value'].value } else { - # replace key vault references - $matchingTuple = $keyVaultReferenceData | Where-Object { $_.parameterName -eq $parameter.Name } - $JSONParametersWithoutValue[$parameter.name] = "{0}.getSecret('{1}')" -f $matchingTuple.vaultResourceReference, $matchingTuple.secretName + $JSONParametersWithoutValue[$parameter.name] = $parameter.value.PSObject.Properties } } @@ -607,7 +612,7 @@ function Set-ModuleReadMe { 'Outputs', 'Template references', 'Navigation', - 'Deployment examples' + 'Usage examples' )] [string[]] $SectionsToRefresh = @( 'Resource Types', @@ -615,7 +620,7 @@ function Set-ModuleReadMe { 'Outputs', 'Template references', 'Navigation', - 'Deployment examples' + 'Usage examples' ) ) @@ -628,16 +633,12 @@ function Set-ModuleReadMe { if (-not $TemplateFileContent) { if ((Split-Path -Path $TemplateFilePath -Extension) -eq '.bicep') { - $templateFileContent = az bicep build --file $TemplateFilePath --stdout --no-restore | ConvertFrom-Json -AsHashtable + $templateFileContent = az bicep build --file $TemplateFilePath --stdout | ConvertFrom-Json -AsHashtable } else { $templateFileContent = ConvertFrom-Json (Get-Content $TemplateFilePath -Encoding 'utf8' -Raw) -ErrorAction Stop -AsHashtable } } - if (-not $templateFileContent) { - throw "Failed to compile [$TemplateFilePath]" - } - $fullResourcePath = (Split-Path $TemplateFilePath -Parent).Replace('\', '/').split('/arm/')[1] # Check readme @@ -717,8 +718,8 @@ function Set-ModuleReadMe { $readMeFileContent = Set-OutputsSection @inputObject } - if ($SectionsToRefresh -contains 'Deployment examples') { - # Handle [Deployment examples] section + if ($SectionsToRefresh -contains 'Usage examples') { + # Handle [Usage examples] section # =================================== $inputObject = @{ ReadMeFileContent = $readMeFileContent diff --git a/utilities/tools/Set-ReadMeModuleTable.ps1 b/utilities/tools/Set-ReadMeModuleTable.ps1 index 9ebb1235ea..0af24e414d 100644 --- a/utilities/tools/Set-ReadMeModuleTable.ps1 +++ b/utilities/tools/Set-ReadMeModuleTable.ps1 @@ -67,9 +67,6 @@ function Set-ReadMeModuleTable { # Logic $contentArray = Get-Content -Path $FilePath - # Handle space in the projectname - $urlEncodedProjectName = [uri]::EscapeDataString($ProjectName) - $tableStringInputObject = @{ Path = $ModulesPath RepositoryName = $RepositoryName @@ -77,7 +74,7 @@ function Set-ReadMeModuleTable { ColumnsInOrder = $ColumnsInOrder SortByColumn = $SortByColumn Environment = $Environment - ProjectName = $urlEncodedProjectName + ProjectName = $ProjectName } Write-Verbose ($tableStringInputObject | ConvertTo-Json | Out-String) -Verbose $tableString = Get-ModulesAsMarkdownTable @tableStringInputObject -Verbose