diff --git a/.ps-rule/min-suppress.Rule.yaml b/.ps-rule/min-suppress.Rule.yaml index 80611ec02c..6ddd8dc341 100644 --- a/.ps-rule/min-suppress.Rule.yaml +++ b/.ps-rule/min-suppress.Rule.yaml @@ -8,6 +8,7 @@ spec: rule: - Azure.Resource.UseTags - Azure.KeyVault.Logs + - Azure.KeyVault.Firewall - Azure.Policy.ExemptionDescriptors - Azure.Policy.Descriptors - Azure.Policy.AssignmentDescriptors diff --git a/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep b/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep new file mode 100644 index 0000000000..152b6bd1bb --- /dev/null +++ b/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep @@ -0,0 +1,46 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep new file mode 100644 index 0000000000..f51833d1cb --- /dev/null +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'kvvap' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}002' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + enablePurgeProtection: false + accessPolicies: [ + { + objectId: nestedDependencies.outputs.managedIdentityPrincipalId + permissions: { + keys: [ + 'get' + 'list' + 'update' + ] + secrets: [ + 'get' + 'list' + ] + } + tenantId: tenant().tenantId + } + { + objectId: nestedDependencies.outputs.managedIdentityPrincipalId + permissions: { + certificates: [ + 'backup' + 'create' + 'delete' + ] + secrets: [ + 'get' + 'list' + ] + } + } + ] + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index 780dfdd843..42499a4e72 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -64,42 +64,14 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' - accessPolicies: [ - { - objectId: nestedDependencies.outputs.managedIdentityPrincipalId - permissions: { - keys: [ - 'get' - 'list' - 'update' - ] - secrets: [ - 'all' - ] - } - tenantId: tenant().tenantId - } - { - objectId: nestedDependencies.outputs.managedIdentityPrincipalId - permissions: { - certificates: [ - 'backup' - 'create' - 'delete' - ] - secrets: [ - 'all' - ] - } - } - ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName // Only for testing purposes enablePurgeProtection: false - enableRbacAuthorization: false + enableRbacAuthorization: true keys: [ { attributesExp: 1725109032 diff --git a/modules/key-vault/vault/.test/pe/dependencies.bicep b/modules/key-vault/vault/.test/pe/dependencies.bicep index 4e44ac0dc4..b9eb57d972 100644 --- a/modules/key-vault/vault/.test/pe/dependencies.bicep +++ b/modules/key-vault/vault/.test/pe/dependencies.bicep @@ -20,6 +20,11 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { name: 'defaultSubnet' properties: { addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] } } ] diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index 2583895c37..6230f07e42 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -39,6 +39,20 @@ module nestedDependencies 'dependencies.bicep' = { } } +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + } +} + // ============== // // Test Execution // // ============== // @@ -49,14 +63,35 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName // Only for testing purposes enablePurgeProtection: false + enableRbacAuthorization: true + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } privateEndpoints: [ { privateDnsZoneGroup: { privateDNSResourceIds: [ nestedDependencies.outputs.privateDNSResourceId ] + privateEndpointName: 'dep-${namePrefix}-pe-${serviceShort}' } service: 'vault' subnetResourceId: nestedDependencies.outputs.subnetResourceId diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index dd7ed9eca4..4ef8894b70 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -47,7 +47,7 @@ This module deploys a Key Vault. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enablePurgeProtection` | bool | `True` | | Provide 'true' to enable Key Vault's purge protection feature. | -| `enableRbacAuthorization` | bool | `False` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | +| `enableRbacAuthorization` | bool | `True` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Switch to enable/disable Key Vault's soft delete feature. | | `enableVaultForDeployment` | bool | `True` | | Specifies if the vault is enabled for deployment by script or compute. | | `enableVaultForDiskEncryption` | bool | `True` | | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | @@ -402,7 +402,7 @@ The following module usage examples are retrieved from the content of the files >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -

Example 1: Common

+

Example 1: Accesspolicies

@@ -410,9 +410,11 @@ The following module usage examples are retrieved from the content of the files ```bicep module vault './key-vault/vault/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-kvvcom' + name: '${uniqueString(deployment().name, location)}-test-kvvap' params: { - name: 'kvvcom002' + // Required parameters + name: 'kvvap002' + // Non-required parameters accessPolicies: [ { objectId: '' @@ -423,7 +425,8 @@ module vault './key-vault/vault/main.bicep' = { 'update' ] secrets: [ - 'all' + 'get' + 'list' ] } tenantId: '' @@ -437,7 +440,8 @@ module vault './key-vault/vault/main.bicep' = { 'delete' ] secrets: [ - 'all' + 'get' + 'list' ] } } @@ -448,7 +452,147 @@ module vault './key-vault/vault/main.bicep' = { diagnosticWorkspaceId: '' enableDefaultTelemetry: '' enablePurgeProtection: false - enableRbacAuthorization: false + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: '' + ignoreMissingVnetServiceEndpoint: false + } + ] + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "kvvap002" + }, + // Non-required parameters + "accessPolicies": { + "value": [ + { + "objectId": "", + "permissions": { + "keys": [ + "get", + "list", + "update" + ], + "secrets": [ + "get", + "list" + ] + }, + "tenantId": "" + }, + { + "objectId": "", + "permissions": { + "certificates": [ + "backup", + "create", + "delete" + ], + "secrets": [ + "get", + "list" + ] + } + } + ] + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enablePurgeProtection": { + "value": false + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [ + { + "value": "40.74.28.0/23" + } + ], + "virtualNetworkRules": [ + { + "id": "", + "ignoreMissingVnetServiceEndpoint": false + } + ] + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +

Example 2: Common

+ +
+ +via Bicep module + +```bicep +module vault './key-vault/vault/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-kvvcom' + params: { + name: 'kvvcom002' + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableDefaultTelemetry: '' + enablePurgeProtection: false + enableRbacAuthorization: true keys: [ { attributesExp: 1725109032 @@ -574,37 +718,6 @@ module vault './key-vault/vault/main.bicep' = { "name": { "value": "kvvcom002" }, - "accessPolicies": { - "value": [ - { - "objectId": "", - "permissions": { - "keys": [ - "get", - "list", - "update" - ], - "secrets": [ - "all" - ] - }, - "tenantId": "" - }, - { - "objectId": "", - "permissions": { - "certificates": [ - "backup", - "create", - "delete" - ], - "secrets": [ - "all" - ] - } - } - ] - }, "diagnosticEventHubAuthorizationRuleId": { "value": "" }, @@ -624,7 +737,7 @@ module vault './key-vault/vault/main.bicep' = { "value": false }, "enableRbacAuthorization": { - "value": false + "value": true }, "keys": { "value": [ @@ -755,7 +868,7 @@ module vault './key-vault/vault/main.bicep' = {

-

Example 2: Min

+

Example 3: Min

@@ -804,7 +917,7 @@ module vault './key-vault/vault/main.bicep' = {

-

Example 3: Pe

+

Example 4: Pe

@@ -817,14 +930,35 @@ module vault './key-vault/vault/main.bicep' = { // Required parameters name: 'kvvpe001' // Non-required parameters + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' enableDefaultTelemetry: '' enablePurgeProtection: false + enableRbacAuthorization: true + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: '' + ignoreMissingVnetServiceEndpoint: false + } + ] + } privateEndpoints: [ { privateDnsZoneGroup: { privateDNSResourceIds: [ '' ] + privateEndpointName: 'dep-pe-kvvpe' } service: 'vault' subnetResourceId: '' @@ -861,19 +995,52 @@ module vault './key-vault/vault/main.bicep' = { "value": "kvvpe001" }, // Non-required parameters + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, "enableDefaultTelemetry": { "value": "" }, "enablePurgeProtection": { "value": false }, + "enableRbacAuthorization": { + "value": true + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [ + { + "value": "40.74.28.0/23" + } + ], + "virtualNetworkRules": [ + { + "id": "", + "ignoreMissingVnetServiceEndpoint": false + } + ] + } + }, "privateEndpoints": { "value": [ { "privateDnsZoneGroup": { "privateDNSResourceIds": [ "" - ] + ], + "privateEndpointName": "dep-pe-kvvpe" }, "service": "vault", "subnetResourceId": "", diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index 20eb584fd3..08892f54ee 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -37,8 +37,8 @@ param enableSoftDelete bool = true @description('Optional. softDelete data retention days. It accepts >=7 and <=90.') param softDeleteRetentionInDays int = 90 -@description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.') -param enableRbacAuthorization bool = false +@description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC.') +param enableRbacAuthorization bool = true @description('Optional. The vault\'s create mode to indicate whether the vault need to be recovered or not. - recover or default.') param createMode string = 'default' diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 561b11ccfe..e2d5cace78 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2793046889488207368" + "version": "0.21.1.54444", + "templateHash": "7677613016975773230" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -84,9 +84,9 @@ }, "enableRbacAuthorization": { "type": "bool", - "defaultValue": false, + "defaultValue": true, "metadata": { - "description": "Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC." + "description": "Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC." } }, "createMode": { @@ -369,8 +369,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7542638391604115549" + "version": "0.21.1.54444", + "templateHash": "10458348557666655329" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", @@ -504,8 +504,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3581368535918618501" + "version": "0.21.1.54444", + "templateHash": "4314059595515029873" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -644,8 +644,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "4251680927905962776" + "version": "0.21.1.54444", + "templateHash": "15814620610091788537" } }, "parameters": { @@ -839,8 +839,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7510105499462799965" + "version": "0.21.1.54444", + "templateHash": "13427300513937033652" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -1025,8 +1025,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3968881335142586299" + "version": "0.21.1.54444", + "templateHash": "8510219443070850278" } }, "parameters": { @@ -1226,8 +1226,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13560297539192628062" + "version": "0.21.1.54444", + "templateHash": "17036874096652764314" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1426,8 +1426,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17831763001460207830" + "version": "0.21.1.54444", + "templateHash": "2469208411936339153" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1564,8 +1564,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11548486149222715894" + "version": "0.21.1.54444", + "templateHash": "13032708393704093995" } }, "parameters": { @@ -1778,8 +1778,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18089760146236492183" + "version": "0.21.1.54444", + "templateHash": "12411629325302614699" } }, "parameters": { @@ -1941,4 +1941,4 @@ "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '2022-07-01', 'full').location]" } } -} \ No newline at end of file +} diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index c43e6c55ef..c47ebca698 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -93,7 +93,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { } module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneGroup)) { - name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-PrivateDnsZoneGroup' + name: '${uniqueString(deployment().name)}-PE-PrivateDnsZoneGroup' params: { privateDNSResourceIds: privateDnsZoneGroup.privateDNSResourceIds privateEndpointName: privateEndpoint.name diff --git a/modules/network/private-endpoint/main.json b/modules/network/private-endpoint/main.json index ab7eacf336..ec5e636ac3 100644 --- a/modules/network/private-endpoint/main.json +++ b/modules/network/private-endpoint/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13560297539192628062" + "version": "0.21.1.54444", + "templateHash": "14580007913383558904" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -181,7 +181,7 @@ "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", + "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -204,8 +204,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17831763001460207830" + "version": "0.21.1.54444", + "templateHash": "2469208411936339153" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -342,8 +342,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11548486149222715894" + "version": "0.21.1.54444", + "templateHash": "13032708393704093995" } }, "parameters": {