From d3fde102b82859a2672e03231759cdd0086032b0 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Fri, 15 Sep 2023 16:41:26 +0200 Subject: [PATCH 01/38] uniquestring with utc datetime --- modules/key-vault/vault/main.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 561b11ccfe..129b1b659d 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -1403,7 +1403,9 @@ "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", + //"name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, utcNow('yyyyMMddHHmmss')))]" + "properties": { "expressionEvaluationOptions": { "scope": "inner" From e8aa6bf06b66663e3273bb38e38ff0c46fb921d4 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Fri, 15 Sep 2023 17:45:04 +0200 Subject: [PATCH 02/38] json rollback and psrule ver update --- modules/key-vault/vault/main.json | 5 ++--- ps-rule.yaml | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 129b1b659d..4286830297 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -1403,8 +1403,7 @@ "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - //"name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, utcNow('yyyyMMddHHmmss')))]" + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { @@ -1943,4 +1942,4 @@ "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '2022-07-01', 'full').location]" } } -} \ No newline at end of file +} diff --git a/ps-rule.yaml b/ps-rule.yaml index 1efe9161f8..76369d2da8 100644 --- a/ps-rule.yaml +++ b/ps-rule.yaml @@ -16,7 +16,7 @@ binding: # Require minimum versions of modules. requires: PSRule: '@pre >=2.4.0' - PSRule.Rules.Azure: '@pre >=1.19.2' + PSRule.Rules.Azure: '@pre >=1.20.0' # Use PSRule for Azure. include: From 7bba3c42aab6f465514348bc91a70dc1c3739afd Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Fri, 15 Sep 2023 18:02:49 +0200 Subject: [PATCH 03/38] 1.29.0 --- ps-rule.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ps-rule.yaml b/ps-rule.yaml index 76369d2da8..9710911917 100644 --- a/ps-rule.yaml +++ b/ps-rule.yaml @@ -16,7 +16,7 @@ binding: # Require minimum versions of modules. requires: PSRule: '@pre >=2.4.0' - PSRule.Rules.Azure: '@pre >=1.20.0' + PSRule.Rules.Azure: '@pre >=1.29.0' # Use PSRule for Azure. include: From fbe5adbd93428d4490dbb33cf73e0ceb309bfad6 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sat, 16 Sep 2023 15:06:52 +0200 Subject: [PATCH 04/38] upd --- .ps-rule/min-suppress.Rule.yaml | 1 + modules/key-vault/vault/.test/pe/main.test.bicep | 1 + modules/key-vault/vault/main.json | 4 +--- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.ps-rule/min-suppress.Rule.yaml b/.ps-rule/min-suppress.Rule.yaml index 80611ec02c..6ddd8dc341 100644 --- a/.ps-rule/min-suppress.Rule.yaml +++ b/.ps-rule/min-suppress.Rule.yaml @@ -8,6 +8,7 @@ spec: rule: - Azure.Resource.UseTags - Azure.KeyVault.Logs + - Azure.KeyVault.Firewall - Azure.Policy.ExemptionDescriptors - Azure.Policy.Descriptors - Azure.Policy.AssignmentDescriptors diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index 2583895c37..f92ad962f3 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -57,6 +57,7 @@ module testDeployment '../../main.bicep' = { privateDNSResourceIds: [ nestedDependencies.outputs.privateDNSResourceId ] + privateEndpointName: 'dep-${namePrefix}-pe-${serviceShort}' } service: 'vault' subnetResourceId: nestedDependencies.outputs.subnetResourceId diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 129b1b659d..561b11ccfe 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -1403,9 +1403,7 @@ "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - //"name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, utcNow('yyyyMMddHHmmss')))]" - + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" From f903ed3008078178b39db90f2cabb4e4d5b1f054 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 12:25:52 +0200 Subject: [PATCH 05/38] upd --- modules/key-vault/vault/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index dd7ed9eca4..6230947d90 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -825,6 +825,7 @@ module vault './key-vault/vault/main.bicep' = { privateDNSResourceIds: [ '' ] + privateEndpointName: 'dep-pe-kvvpe' } service: 'vault' subnetResourceId: '' @@ -873,7 +874,8 @@ module vault './key-vault/vault/main.bicep' = { "privateDnsZoneGroup": { "privateDNSResourceIds": [ "" - ] + ], + "privateEndpointName": "dep-pe-kvvpe" }, "service": "vault", "subnetResourceId": "", From 1f2dfaa34efd36cc46675e499a860878b9eb13d7 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 21:15:35 +0200 Subject: [PATCH 06/38] utcnow --- modules/network/private-endpoint/main.bicep | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index c43e6c55ef..c7d5a5eb20 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -29,6 +29,8 @@ param privateDnsZoneGroup object = {} @description('Optional. Location for all Resources.') param location string = resourceGroup().location +param uniquetimestamp string = utcNow() + @allowed([ '' 'CanNotDelete' @@ -93,7 +95,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { } module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneGroup)) { - name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-PrivateDnsZoneGroup' + name: '${uniqueString(deployment().name, uniquetimestamp)}-PrivateEndpoint-PrivateDnsZoneGroup' params: { privateDNSResourceIds: privateDnsZoneGroup.privateDNSResourceIds privateEndpointName: privateEndpoint.name From c123357540f68d73e7eafe810cdcbf6ec31af147 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 21:24:15 +0200 Subject: [PATCH 07/38] undo --- modules/network/private-endpoint/main.bicep | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index c7d5a5eb20..c43e6c55ef 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -29,8 +29,6 @@ param privateDnsZoneGroup object = {} @description('Optional. Location for all Resources.') param location string = resourceGroup().location -param uniquetimestamp string = utcNow() - @allowed([ '' 'CanNotDelete' @@ -95,7 +93,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { } module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneGroup)) { - name: '${uniqueString(deployment().name, uniquetimestamp)}-PrivateEndpoint-PrivateDnsZoneGroup' + name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-PrivateDnsZoneGroup' params: { privateDNSResourceIds: privateDnsZoneGroup.privateDNSResourceIds privateEndpointName: privateEndpoint.name From 7abb6bc3b99ca18efaec439e298c54188189feab Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 21:37:06 +0200 Subject: [PATCH 08/38] newGUID --- modules/network/private-endpoint/main.bicep | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index c43e6c55ef..21ba0a6925 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -52,6 +52,8 @@ param manualPrivateLinkServiceConnections array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +param uniqueGUID string = newGuid() + var enableReferencedModulesTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -93,7 +95,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { } module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneGroup)) { - name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-PrivateDnsZoneGroup' + name: '${uniqueString(deployment().name, uniqueGUID)}-PrivateEndpoint-PrivateDnsZoneGroup' params: { privateDNSResourceIds: privateDnsZoneGroup.privateDNSResourceIds privateEndpointName: privateEndpoint.name From f4587b832ee70ace51e4c17fd9ab9f9add69f3ef Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 21:44:05 +0200 Subject: [PATCH 09/38] test --- modules/network/private-endpoint/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index 21ba0a6925..a318ba3154 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -52,7 +52,7 @@ param manualPrivateLinkServiceConnections array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -param uniqueGUID string = newGuid() +param uniqueGUID string = 'ffdd' var enableReferencedModulesTelemetry = false From e54cbd94b143d38372601690a0396d8b14ab58a1 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 21:57:19 +0200 Subject: [PATCH 10/38] upd --- modules/network/private-endpoint/main.bicep | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index a318ba3154..7d79e72a72 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -95,7 +95,8 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { } module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneGroup)) { - name: '${uniqueString(deployment().name, uniqueGUID)}-PrivateEndpoint-PrivateDnsZoneGroup' + //name: '${uniqueString(deployment().name, uniqueGUID)}-PrivateEndpoint-PrivateDnsZoneGroup' + name: 'PE-PrivateDnsZoneGroup' params: { privateDNSResourceIds: privateDnsZoneGroup.privateDNSResourceIds privateEndpointName: privateEndpoint.name From d6e76769381cd90a15faba9a8187888e4c10a416 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 22:01:19 +0200 Subject: [PATCH 11/38] upd --- .../network/private-endpoint/OLD_main.json | 519 ++++++++++++++++++ modules/network/private-endpoint/main.json | 8 +- 2 files changed, 525 insertions(+), 2 deletions(-) create mode 100644 modules/network/private-endpoint/OLD_main.json diff --git a/modules/network/private-endpoint/OLD_main.json b/modules/network/private-endpoint/OLD_main.json new file mode 100644 index 0000000000..ab7eacf336 --- /dev/null +++ b/modules/network/private-endpoint/OLD_main.json @@ -0,0 +1,519 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.20.4.51522", + "templateHash": "13560297539192628062" + }, + "name": "Private Endpoints", + "description": "This module deploys a Private Endpoint.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the private endpoint resource to create." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "serviceResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the resource that needs to be connected to the network." + } + }, + "applicationSecurityGroups": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Application security groups in which the private endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The custom name of the network interface attached to the private endpoint." + } + }, + "ipConfigurations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." + } + }, + "groupIds": { + "type": "array", + "metadata": { + "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." + } + }, + "privateDnsZoneGroup": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "lock": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "CanNotDelete", + "ReadOnly" + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." + } + }, + "customDnsConfigs": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "manualPrivateLinkServiceConnections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Manual PrivateLink Service Connections." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "enableReferencedModulesTelemetry": false + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-04-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", + "customDnsConfigs": "[parameters('customDnsConfigs')]", + "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", + "ipConfigurations": "[parameters('ipConfigurations')]", + "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", + "privateLinkServiceConnections": [ + { + "name": "[parameters('name')]", + "properties": { + "privateLinkServiceId": "[parameters('serviceResourceId')]", + "groupIds": "[parameters('groupIds')]" + } + } + ], + "subnet": { + "id": "[parameters('subnetResourceId')]" + } + } + }, + { + "condition": "[not(empty(parameters('lock')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", + "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "properties": { + "level": "[parameters('lock')]", + "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + ] + }, + { + "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "privateDNSResourceIds": { + "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" + }, + "privateEndpointName": { + "value": "[parameters('name')]" + }, + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.20.4.51522", + "templateHash": "17831763001460207830" + }, + "name": "Private Endpoint Private DNS Zone Groups", + "description": "This module deploys a Private Endpoint Private DNS Zone Group.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "privateEndpointName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." + } + }, + "privateDNSResourceIds": { + "type": "array", + "minLength": 1, + "maxLength": 5, + "metadata": { + "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." + } + }, + "name": { + "type": "string", + "defaultValue": "default", + "metadata": { + "description": "Optional. The name of the private DNS zone group." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "copy": [ + { + "name": "privateDnsZoneConfigs", + "count": "[length(parameters('privateDNSResourceIds'))]", + "input": { + "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", + "properties": { + "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" + } + } + } + ] + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2023-04-01", + "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", + "properties": { + "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the private endpoint DNS zone group." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the private endpoint DNS zone group." + }, + "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the private endpoint DNS zone group was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + ] + }, + { + "copy": { + "name": "privateEndpoint_roleAssignments", + "count": "[length(parameters('roleAssignments'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", + "principalIds": { + "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" + }, + "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", + "roleDefinitionIdOrName": { + "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" + }, + "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", + "resourceId": { + "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.20.4.51522", + "templateHash": "11548486149222715894" + } + }, + "parameters": { + "principalIds": { + "type": "array", + "metadata": { + "description": "Required. The IDs of the principals to assign the role to." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the resource to apply the role assignment to." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Id of the delegated managed identity resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", + "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", + "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", + "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", + "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" + } + }, + "resources": [ + { + "copy": { + "name": "roleAssignment", + "count": "[length(parameters('principalIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", + "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", + "properties": { + "description": "[parameters('description')]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", + "principalId": "[parameters('principalIds')[copyIndex()]]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + ] + } + ], + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the private endpoint was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the private endpoint." + }, + "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the private endpoint." + }, + "value": "[parameters('name')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" + } + } +} \ No newline at end of file diff --git a/modules/network/private-endpoint/main.json b/modules/network/private-endpoint/main.json index ab7eacf336..7b6abfde4f 100644 --- a/modules/network/private-endpoint/main.json +++ b/modules/network/private-endpoint/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.20.4.51522", - "templateHash": "13560297539192628062" + "templateHash": "1710908911445964270" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -117,6 +117,10 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } + }, + "uniqueGUID": { + "type": "string", + "defaultValue": "ffdd" } }, "variables": { @@ -181,7 +185,7 @@ "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", + "name": "PE-PrivateDnsZoneGroup", "properties": { "expressionEvaluationOptions": { "scope": "inner" From 6a1504722df7a52d6044db8b422d406bd56d81cd Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 22:10:15 +0200 Subject: [PATCH 12/38] upd --- modules/key-vault/vault/main.json | 42 +- .../network/private-endpoint/OLD_main.json | 519 ------------------ modules/network/private-endpoint/main.bicep | 5 +- modules/network/private-endpoint/main.json | 18 +- 4 files changed, 29 insertions(+), 555 deletions(-) delete mode 100644 modules/network/private-endpoint/OLD_main.json diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 8e79b18bf9..4a3fb011e8 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "2793046889488207368" + "version": "0.21.1.54444", + "templateHash": "7677613016975773230" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -369,8 +369,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7542638391604115549" + "version": "0.21.1.54444", + "templateHash": "10458348557666655329" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", @@ -504,8 +504,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3581368535918618501" + "version": "0.21.1.54444", + "templateHash": "4314059595515029873" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -644,8 +644,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "4251680927905962776" + "version": "0.21.1.54444", + "templateHash": "15814620610091788537" } }, "parameters": { @@ -839,8 +839,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "7510105499462799965" + "version": "0.21.1.54444", + "templateHash": "13427300513937033652" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -1025,8 +1025,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "3968881335142586299" + "version": "0.21.1.54444", + "templateHash": "8510219443070850278" } }, "parameters": { @@ -1226,8 +1226,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13560297539192628062" + "version": "0.21.1.54444", + "templateHash": "17036874096652764314" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -1426,8 +1426,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17831763001460207830" + "version": "0.21.1.54444", + "templateHash": "2469208411936339153" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -1564,8 +1564,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11548486149222715894" + "version": "0.21.1.54444", + "templateHash": "13032708393704093995" } }, "parameters": { @@ -1778,8 +1778,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "18089760146236492183" + "version": "0.21.1.54444", + "templateHash": "12411629325302614699" } }, "parameters": { @@ -1941,4 +1941,4 @@ "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '2022-07-01', 'full').location]" } } -} +} \ No newline at end of file diff --git a/modules/network/private-endpoint/OLD_main.json b/modules/network/private-endpoint/OLD_main.json deleted file mode 100644 index ab7eacf336..0000000000 --- a/modules/network/private-endpoint/OLD_main.json +++ /dev/null @@ -1,519 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "13560297539192628062" - }, - "name": "Private Endpoints", - "description": "This module deploys a Private Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name of the private endpoint resource to create." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "serviceResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the resource that needs to be connected to the network." - } - }, - "applicationSecurityGroups": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "ipConfigurations": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to." - } - }, - "privateDnsZoneGroup": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. The private DNS zone group configuration used to associate the private endpoint with one or multiple private DNS zones. A DNS zone group can support up to 5 DNS zones." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "lock": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ], - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "customDnsConfigs": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "manualPrivateLinkServiceConnections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Manual PrivateLink Service Connections." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "enableReferencedModulesTelemetry": false - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "applicationSecurityGroups": "[parameters('applicationSecurityGroups')]", - "customDnsConfigs": "[parameters('customDnsConfigs')]", - "customNetworkInterfaceName": "[parameters('customNetworkInterfaceName')]", - "ipConfigurations": "[parameters('ipConfigurations')]", - "manualPrivateLinkServiceConnections": "[parameters('manualPrivateLinkServiceConnections')]", - "privateLinkServiceConnections": [ - { - "name": "[parameters('name')]", - "properties": { - "privateLinkServiceId": "[parameters('serviceResourceId')]", - "groupIds": "[parameters('groupIds')]" - } - } - ], - "subnet": { - "id": "[parameters('subnetResourceId')]" - } - } - }, - { - "condition": "[not(empty(parameters('lock')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", - "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDNSResourceIds": { - "value": "[parameters('privateDnsZoneGroup').privateDNSResourceIds]" - }, - "privateEndpointName": { - "value": "[parameters('name')]" - }, - "enableDefaultTelemetry": { - "value": "[variables('enableReferencedModulesTelemetry')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17831763001460207830" - }, - "name": "Private Endpoint Private DNS Zone Groups", - "description": "This module deploys a Private Endpoint Private DNS Zone Group.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "privateEndpointName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." - } - }, - "privateDNSResourceIds": { - "type": "array", - "minLength": 1, - "maxLength": 5, - "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." - } - }, - "name": { - "type": "string", - "defaultValue": "default", - "metadata": { - "description": "Optional. The name of the private DNS zone group." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "variables": { - "copy": [ - { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", - "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", - "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" - } - } - } - ] - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", - "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", - "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint DNS zone group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint DNS zone group." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints/privateDnsZoneGroups', parameters('privateEndpointName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint DNS zone group was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - }, - { - "copy": { - "name": "privateEndpoint_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11548486149222715894" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/privateEndpoints/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - ] - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the private endpoint was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the private endpoint." - }, - "value": "[resourceId('Microsoft.Network/privateEndpoints', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the private endpoint." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), '2023-04-01', 'full').location]" - } - } -} \ No newline at end of file diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index 7d79e72a72..c43e6c55ef 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -52,8 +52,6 @@ param manualPrivateLinkServiceConnections array = [] @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true -param uniqueGUID string = 'ffdd' - var enableReferencedModulesTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -95,8 +93,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { } module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneGroup)) { - //name: '${uniqueString(deployment().name, uniqueGUID)}-PrivateEndpoint-PrivateDnsZoneGroup' - name: 'PE-PrivateDnsZoneGroup' + name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-PrivateDnsZoneGroup' params: { privateDNSResourceIds: privateDnsZoneGroup.privateDNSResourceIds privateEndpointName: privateEndpoint.name diff --git a/modules/network/private-endpoint/main.json b/modules/network/private-endpoint/main.json index 7b6abfde4f..9f424bd4da 100644 --- a/modules/network/private-endpoint/main.json +++ b/modules/network/private-endpoint/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "1710908911445964270" + "version": "0.21.1.54444", + "templateHash": "17036874096652764314" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -117,10 +117,6 @@ "metadata": { "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." } - }, - "uniqueGUID": { - "type": "string", - "defaultValue": "ffdd" } }, "variables": { @@ -185,7 +181,7 @@ "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "PE-PrivateDnsZoneGroup", + "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -208,8 +204,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "17831763001460207830" + "version": "0.21.1.54444", + "templateHash": "2469208411936339153" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", @@ -346,8 +342,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.20.4.51522", - "templateHash": "11548486149222715894" + "version": "0.21.1.54444", + "templateHash": "13032708393704093995" } }, "parameters": { From ef1c4146388211e957ce8f698d93d4691610caeb Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 22:21:00 +0200 Subject: [PATCH 13/38] upd --- modules/network/private-endpoint/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/network/private-endpoint/main.bicep b/modules/network/private-endpoint/main.bicep index c43e6c55ef..c47ebca698 100644 --- a/modules/network/private-endpoint/main.bicep +++ b/modules/network/private-endpoint/main.bicep @@ -93,7 +93,7 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-04-01' = { } module privateEndpoint_privateDnsZoneGroup 'private-dns-zone-group/main.bicep' = if (!empty(privateDnsZoneGroup)) { - name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-PrivateDnsZoneGroup' + name: '${uniqueString(deployment().name)}-PE-PrivateDnsZoneGroup' params: { privateDNSResourceIds: privateDnsZoneGroup.privateDNSResourceIds privateEndpointName: privateEndpoint.name From f5dc2235994504660008db649d54555b6bb922a9 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 22:22:36 +0200 Subject: [PATCH 14/38] upd --- modules/network/private-endpoint/main.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/network/private-endpoint/main.json b/modules/network/private-endpoint/main.json index 9f424bd4da..ec5e636ac3 100644 --- a/modules/network/private-endpoint/main.json +++ b/modules/network/private-endpoint/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.21.1.54444", - "templateHash": "17036874096652764314" + "templateHash": "14580007913383558904" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", @@ -181,7 +181,7 @@ "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name, parameters('location')))]", + "name": "[format('{0}-PE-PrivateDnsZoneGroup', uniqueString(deployment().name))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" From 613c346d4969ca6dcef6b68eb1499d4c7a579724 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 22:34:58 +0200 Subject: [PATCH 15/38] removed 'all' permission from secret --- modules/key-vault/vault/.test/common/main.test.bicep | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index 780dfdd843..b3a779208c 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -74,7 +74,8 @@ module testDeployment '../../main.bicep' = { 'update' ] secrets: [ - 'all' + 'get' + 'list' ] } tenantId: tenant().tenantId @@ -88,7 +89,8 @@ module testDeployment '../../main.bicep' = { 'delete' ] secrets: [ - 'all' + 'get' + 'list' ] } } From f36f0a7567223547b209cf809c84f4757d8ab080 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 22:43:39 +0200 Subject: [PATCH 16/38] upd --- modules/key-vault/vault/.test/pe/main.test.bicep | 14 ++++++++++++++ modules/key-vault/vault/README.md | 12 ++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index f92ad962f3..037330d05d 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -39,6 +39,20 @@ module nestedDependencies 'dependencies.bicep' = { } } +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + } +} + // ============== // // Test Execution // // ============== // diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 6230947d90..d567cbd6ef 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -423,7 +423,8 @@ module vault './key-vault/vault/main.bicep' = { 'update' ] secrets: [ - 'all' + 'get' + 'list' ] } tenantId: '' @@ -437,7 +438,8 @@ module vault './key-vault/vault/main.bicep' = { 'delete' ] secrets: [ - 'all' + 'get' + 'list' ] } } @@ -585,7 +587,8 @@ module vault './key-vault/vault/main.bicep' = { "update" ], "secrets": [ - "all" + "get", + "list" ] }, "tenantId": "" @@ -599,7 +602,8 @@ module vault './key-vault/vault/main.bicep' = { "delete" ], "secrets": [ - "all" + "get", + "list" ] } } From 7826ef471831cb6ccf84cd5e59c10dfe511ef297 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 18 Sep 2023 22:54:16 +0200 Subject: [PATCH 17/38] upd --- .../key-vault/vault/.test/pe/main.test.bicep | 19 ++++++++ modules/key-vault/vault/README.md | 48 +++++++++++++++++++ 2 files changed, 67 insertions(+) diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index 037330d05d..1f8e463ee2 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -63,8 +63,27 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}001' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName // Only for testing purposes enablePurgeProtection: false + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } privateEndpoints: [ { privateDnsZoneGroup: { diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index d567cbd6ef..cfb4e9745f 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -821,8 +821,27 @@ module vault './key-vault/vault/main.bicep' = { // Required parameters name: 'kvvpe001' // Non-required parameters + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' enableDefaultTelemetry: '' enablePurgeProtection: false + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: '' + ignoreMissingVnetServiceEndpoint: false + } + ] + } privateEndpoints: [ { privateDnsZoneGroup: { @@ -866,12 +885,41 @@ module vault './key-vault/vault/main.bicep' = { "value": "kvvpe001" }, // Non-required parameters + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, "enableDefaultTelemetry": { "value": "" }, "enablePurgeProtection": { "value": false }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [ + { + "value": "40.74.28.0/23" + } + ], + "virtualNetworkRules": [ + { + "id": "", + "ignoreMissingVnetServiceEndpoint": false + } + ] + } + }, "privateEndpoints": { "value": [ { From cc5a9a1b20a5275bf79a59119325f5e3c0a755dd Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Tue, 19 Sep 2023 00:04:18 +0200 Subject: [PATCH 18/38] upd --- modules/key-vault/vault/.test/pe/dependencies.bicep | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/key-vault/vault/.test/pe/dependencies.bicep b/modules/key-vault/vault/.test/pe/dependencies.bicep index 4e44ac0dc4..b9eb57d972 100644 --- a/modules/key-vault/vault/.test/pe/dependencies.bicep +++ b/modules/key-vault/vault/.test/pe/dependencies.bicep @@ -20,6 +20,11 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { name: 'defaultSubnet' properties: { addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] } } ] From f92341fa5f34d75ae4be5238428be6db59f24885 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Tue, 19 Sep 2023 00:20:04 +0200 Subject: [PATCH 19/38] upd --- .../vault/.test/common/main.test.bicep | 64 ++++++++-------- .../key-vault/vault/.test/min/main.test.bicep | 1 + .../key-vault/vault/.test/pe/main.test.bicep | 1 + modules/key-vault/vault/README.md | 76 +++---------------- 4 files changed, 44 insertions(+), 98 deletions(-) diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index b3a779208c..e44832e74b 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -64,44 +64,44 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' - accessPolicies: [ - { - objectId: nestedDependencies.outputs.managedIdentityPrincipalId - permissions: { - keys: [ - 'get' - 'list' - 'update' - ] - secrets: [ - 'get' - 'list' - ] - } - tenantId: tenant().tenantId - } - { - objectId: nestedDependencies.outputs.managedIdentityPrincipalId - permissions: { - certificates: [ - 'backup' - 'create' - 'delete' - ] - secrets: [ - 'get' - 'list' - ] - } - } - ] + // accessPolicies: [ + // { + // objectId: nestedDependencies.outputs.managedIdentityPrincipalId + // permissions: { + // keys: [ + // 'get' + // 'list' + // 'update' + // ] + // secrets: [ + // 'get' + // 'list' + // ] + // } + // tenantId: tenant().tenantId + // } + // { + // objectId: nestedDependencies.outputs.managedIdentityPrincipalId + // permissions: { + // certificates: [ + // 'backup' + // 'create' + // 'delete' + // ] + // secrets: [ + // 'get' + // 'list' + // ] + // } + // } + // ] diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName // Only for testing purposes enablePurgeProtection: false - enableRbacAuthorization: false + enableRbacAuthorization: true keys: [ { attributesExp: 1725109032 diff --git a/modules/key-vault/vault/.test/min/main.test.bicep b/modules/key-vault/vault/.test/min/main.test.bicep index 0ecea959ed..9323384b60 100644 --- a/modules/key-vault/vault/.test/min/main.test.bicep +++ b/modules/key-vault/vault/.test/min/main.test.bicep @@ -43,5 +43,6 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}002' // Only for testing purposes enablePurgeProtection: false + enableRbacAuthorization: true } } diff --git a/modules/key-vault/vault/.test/pe/main.test.bicep b/modules/key-vault/vault/.test/pe/main.test.bicep index 1f8e463ee2..6230f07e42 100644 --- a/modules/key-vault/vault/.test/pe/main.test.bicep +++ b/modules/key-vault/vault/.test/pe/main.test.bicep @@ -69,6 +69,7 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName // Only for testing purposes enablePurgeProtection: false + enableRbacAuthorization: true networkAcls: { bypass: 'AzureServices' defaultAction: 'Deny' diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index cfb4e9745f..8299647944 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -413,44 +413,13 @@ module vault './key-vault/vault/main.bicep' = { name: '${uniqueString(deployment().name, location)}-test-kvvcom' params: { name: 'kvvcom002' - accessPolicies: [ - { - objectId: '' - permissions: { - keys: [ - 'get' - 'list' - 'update' - ] - secrets: [ - 'get' - 'list' - ] - } - tenantId: '' - } - { - objectId: '' - permissions: { - certificates: [ - 'backup' - 'create' - 'delete' - ] - secrets: [ - 'get' - 'list' - ] - } - } - ] diagnosticEventHubAuthorizationRuleId: '' diagnosticEventHubName: '' diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' enableDefaultTelemetry: '' enablePurgeProtection: false - enableRbacAuthorization: false + enableRbacAuthorization: true keys: [ { attributesExp: 1725109032 @@ -576,39 +545,6 @@ module vault './key-vault/vault/main.bicep' = { "name": { "value": "kvvcom002" }, - "accessPolicies": { - "value": [ - { - "objectId": "", - "permissions": { - "keys": [ - "get", - "list", - "update" - ], - "secrets": [ - "get", - "list" - ] - }, - "tenantId": "" - }, - { - "objectId": "", - "permissions": { - "certificates": [ - "backup", - "create", - "delete" - ], - "secrets": [ - "get", - "list" - ] - } - } - ] - }, "diagnosticEventHubAuthorizationRuleId": { "value": "" }, @@ -628,7 +564,7 @@ module vault './key-vault/vault/main.bicep' = { "value": false }, "enableRbacAuthorization": { - "value": false + "value": true }, "keys": { "value": [ @@ -774,6 +710,7 @@ module vault './key-vault/vault/main.bicep' = { // Non-required parameters enableDefaultTelemetry: '' enablePurgeProtection: false + enableRbacAuthorization: true } } ``` @@ -800,6 +737,9 @@ module vault './key-vault/vault/main.bicep' = { }, "enablePurgeProtection": { "value": false + }, + "enableRbacAuthorization": { + "value": true } } } @@ -827,6 +767,7 @@ module vault './key-vault/vault/main.bicep' = { diagnosticWorkspaceId: '' enableDefaultTelemetry: '' enablePurgeProtection: false + enableRbacAuthorization: true networkAcls: { bypass: 'AzureServices' defaultAction: 'Deny' @@ -903,6 +844,9 @@ module vault './key-vault/vault/main.bicep' = { "enablePurgeProtection": { "value": false }, + "enableRbacAuthorization": { + "value": true + }, "networkAcls": { "value": { "bypass": "AzureServices", From f61433efc29b87368a89ca7827dacf81627d7ae9 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Tue, 19 Sep 2023 08:19:53 +0200 Subject: [PATCH 20/38] upd --- .../vault/.test/common/main.test.bicep | 32 +------------------ 1 file changed, 1 insertion(+), 31 deletions(-) diff --git a/modules/key-vault/vault/.test/common/main.test.bicep b/modules/key-vault/vault/.test/common/main.test.bicep index e44832e74b..42499a4e72 100644 --- a/modules/key-vault/vault/.test/common/main.test.bicep +++ b/modules/key-vault/vault/.test/common/main.test.bicep @@ -64,37 +64,7 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' - // accessPolicies: [ - // { - // objectId: nestedDependencies.outputs.managedIdentityPrincipalId - // permissions: { - // keys: [ - // 'get' - // 'list' - // 'update' - // ] - // secrets: [ - // 'get' - // 'list' - // ] - // } - // tenantId: tenant().tenantId - // } - // { - // objectId: nestedDependencies.outputs.managedIdentityPrincipalId - // permissions: { - // certificates: [ - // 'backup' - // 'create' - // 'delete' - // ] - // secrets: [ - // 'get' - // 'list' - // ] - // } - // } - // ] + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId From fbea0179f1c6367c90be7c0a0dda85b62b473df1 Mon Sep 17 00:00:00 2001 From: Elena Batanero Garcia Date: Tue, 19 Sep 2023 17:43:36 +0200 Subject: [PATCH 21/38] Added accesspolicies testing --- .../.test/accesspolicies/dependencies.bicep | 13 +++ .../.test/accesspolicies/main.test.bicep | 86 +++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 modules/key-vault/vault/.test/accesspolicies/dependencies.bicep create mode 100644 modules/key-vault/vault/.test/accesspolicies/main.test.bicep diff --git a/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep b/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep new file mode 100644 index 0000000000..7be39e253a --- /dev/null +++ b/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep new file mode 100644 index 0000000000..051343b7f0 --- /dev/null +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -0,0 +1,86 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'kvvaccesspolicies' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}002' + // Only for testing purposes + enablePurgeProtection: false + accessPolicies: [ + { + objectId: nestedDependencies.outputs.managedIdentityPrincipalId + permissions: { + keys: [ + 'get' + 'list' + 'update' + ] + secrets: [ + 'get' + 'list' + ] + } + tenantId: tenant().tenantId + } + { + objectId: nestedDependencies.outputs.managedIdentityPrincipalId + permissions: { + certificates: [ + 'backup' + 'create' + 'delete' + ] + secrets: [ + 'get' + 'list' + ] + } + } + ] + } +} From 32f06c1c2de0063507d2ff01c1d8f0305072bd01 Mon Sep 17 00:00:00 2001 From: Elena Batanero Garcia Date: Tue, 19 Sep 2023 17:56:10 +0200 Subject: [PATCH 22/38] Adding acls --- .../.test/accesspolicies/dependencies.bicep | 33 +++++++++++++++++ .../.test/accesspolicies/main.test.bicep | 35 +++++++++++++++++++ 2 files changed, 68 insertions(+) diff --git a/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep b/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep index 7be39e253a..152b6bd1bb 100644 --- a/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/dependencies.bicep @@ -1,13 +1,46 @@ @description('Optional. The location to deploy to.') param location string = resourceGroup().location +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + @description('Required. The name of the Managed Identity to create.') param managedIdentityName string +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + ] + } +} + resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { name: managedIdentityName location: location } +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index 051343b7f0..e48824abcb 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -36,6 +36,22 @@ module nestedDependencies 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location } } @@ -49,6 +65,10 @@ module testDeployment '../../main.bicep' = { params: { enableDefaultTelemetry: enableDefaultTelemetry name: '${namePrefix}${serviceShort}002' + diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId + diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName // Only for testing purposes enablePurgeProtection: false accessPolicies: [ @@ -82,5 +102,20 @@ module testDeployment '../../main.bicep' = { } } ] + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } } } From 0059cdb85ade02276f2dcb16c135340eb9300266 Mon Sep 17 00:00:00 2001 From: Elena Batanero Garcia Date: Tue, 19 Sep 2023 18:02:22 +0200 Subject: [PATCH 23/38] fixed psrule --- .../key-vault/vault/.test/accesspolicies/main.test.bicep | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index e48824abcb..ac874599f6 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -12,7 +12,7 @@ param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvaccesspolicies' +param serviceShort string = 'kvvaccesspolicy' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -117,5 +117,10 @@ module testDeployment '../../main.bicep' = { } ] } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } } } From 7abcfb6e7dad3b8d3f41d22cf3ee54c664052522 Mon Sep 17 00:00:00 2001 From: Elena Batanero Garcia Date: Tue, 19 Sep 2023 18:25:23 +0200 Subject: [PATCH 24/38] updated readme --- modules/key-vault/vault/README.md | 179 +++++++++++++++++++++++++++++- 1 file changed, 176 insertions(+), 3 deletions(-) diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 8299647944..35e8fac814 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -402,7 +402,180 @@ The following module usage examples are retrieved from the content of the files >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. -

Example 1: Common

+

Example 1: Accesspolicies

+ +
+ +via Bicep module + +```bicep +module vault './key-vault/vault/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-kvvaccesspolicy' + params: { + // Required parameters + name: 'kvvaccesspolicy002' + // Non-required parameters + accessPolicies: [ + { + objectId: '' + permissions: { + keys: [ + 'get' + 'list' + 'update' + ] + secrets: [ + 'get' + 'list' + ] + } + tenantId: '' + } + { + objectId: '' + permissions: { + certificates: [ + 'backup' + 'create' + 'delete' + ] + secrets: [ + 'get' + 'list' + ] + } + } + ] + diagnosticEventHubAuthorizationRuleId: '' + diagnosticEventHubName: '' + diagnosticStorageAccountId: '' + diagnosticWorkspaceId: '' + enableDefaultTelemetry: '' + enablePurgeProtection: false + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: '' + ignoreMissingVnetServiceEndpoint: false + } + ] + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "kvvaccesspolicy002" + }, + // Non-required parameters + "accessPolicies": { + "value": [ + { + "objectId": "", + "permissions": { + "keys": [ + "get", + "list", + "update" + ], + "secrets": [ + "get", + "list" + ] + }, + "tenantId": "" + }, + { + "objectId": "", + "permissions": { + "certificates": [ + "backup", + "create", + "delete" + ], + "secrets": [ + "get", + "list" + ] + } + } + ] + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "" + }, + "diagnosticEventHubName": { + "value": "" + }, + "diagnosticStorageAccountId": { + "value": "" + }, + "diagnosticWorkspaceId": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enablePurgeProtection": { + "value": false + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [ + { + "value": "40.74.28.0/23" + } + ], + "virtualNetworkRules": [ + { + "id": "", + "ignoreMissingVnetServiceEndpoint": false + } + ] + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ +

Example 2: Common

@@ -695,7 +868,7 @@ module vault './key-vault/vault/main.bicep' = {

-

Example 2: Min

+

Example 3: Min

@@ -748,7 +921,7 @@ module vault './key-vault/vault/main.bicep' = {

-

Example 3: Pe

+

Example 4: Pe

From 419ac774779f71052a42f2c889c680c74c8c0581 Mon Sep 17 00:00:00 2001 From: Elena Batanero <46710322+elbatane@users.noreply.github.com> Date: Wed, 20 Sep 2023 12:34:46 +0200 Subject: [PATCH 25/38] Update modules/key-vault/vault/.test/accesspolicies/main.test.bicep Co-authored-by: Alexander Sehr --- modules/key-vault/vault/.test/accesspolicies/main.test.bicep | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index ac874599f6..3164251ee8 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -37,7 +37,6 @@ module nestedDependencies 'dependencies.bicep' = { params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' - } } From ea456a65df57ec94a4994cd21f92285aad5b742a Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 20 Sep 2023 16:38:31 +0200 Subject: [PATCH 26/38] enable rbac auth true as default --- modules/key-vault/vault/.test/min/main.test.bicep | 1 - modules/key-vault/vault/main.bicep | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/key-vault/vault/.test/min/main.test.bicep b/modules/key-vault/vault/.test/min/main.test.bicep index 9323384b60..0ecea959ed 100644 --- a/modules/key-vault/vault/.test/min/main.test.bicep +++ b/modules/key-vault/vault/.test/min/main.test.bicep @@ -43,6 +43,5 @@ module testDeployment '../../main.bicep' = { name: '${namePrefix}${serviceShort}002' // Only for testing purposes enablePurgeProtection: false - enableRbacAuthorization: true } } diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index 20eb584fd3..bd0fdbd759 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -38,7 +38,7 @@ param enableSoftDelete bool = true param softDeleteRetentionInDays int = 90 @description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.') -param enableRbacAuthorization bool = false +param enableRbacAuthorization bool = true @description('Optional. The vault\'s create mode to indicate whether the vault need to be recovered or not. - recover or default.') param createMode string = 'default' From 2338b28b73973a2a1fd70b5ab2825b7d00b8635a Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 20 Sep 2023 16:41:50 +0200 Subject: [PATCH 27/38] readme file update --- modules/key-vault/vault/README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 35e8fac814..97df3ef0f1 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -47,7 +47,7 @@ This module deploys a Key Vault. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enablePurgeProtection` | bool | `True` | | Provide 'true' to enable Key Vault's purge protection feature. | -| `enableRbacAuthorization` | bool | `False` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | +| `enableRbacAuthorization` | bool | `True` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Switch to enable/disable Key Vault's soft delete feature. | | `enableVaultForDeployment` | bool | `True` | | Specifies if the vault is enabled for deployment by script or compute. | | `enableVaultForDiskEncryption` | bool | `True` | | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | @@ -883,7 +883,6 @@ module vault './key-vault/vault/main.bicep' = { // Non-required parameters enableDefaultTelemetry: '' enablePurgeProtection: false - enableRbacAuthorization: true } } ``` @@ -910,9 +909,6 @@ module vault './key-vault/vault/main.bicep' = { }, "enablePurgeProtection": { "value": false - }, - "enableRbacAuthorization": { - "value": true } } } From 53869ebcad1d70f20e3f25e6111a6ec7a1ebbe5e Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 20 Sep 2023 16:48:18 +0200 Subject: [PATCH 28/38] main.json updated --- modules/key-vault/vault/main.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index 4a3fb011e8..fbdb37f520 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -84,7 +84,7 @@ }, "enableRbacAuthorization": { "type": "bool", - "defaultValue": false, + "defaultValue": true, "metadata": { "description": "Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC." } @@ -1941,4 +1941,4 @@ "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('name')), '2022-07-01', 'full').location]" } } -} \ No newline at end of file +} From d2f679dee7a0db359fb7947463f8e628ab4305b5 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 20 Sep 2023 17:02:33 +0200 Subject: [PATCH 29/38] shorted storageAccountName for accesspolicies --- modules/key-vault/vault/.test/accesspolicies/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index 3164251ee8..cf8949f9fc 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -46,7 +46,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { - storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + storageAccountName: 'dep${namePrefix}sa${serviceShort}03' logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' From 6a34e4be92ad954de1d9ded6b161b10a0e33da7e Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 20 Sep 2023 17:04:59 +0200 Subject: [PATCH 30/38] updated shor prefix --- modules/key-vault/vault/.test/accesspolicies/main.test.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index cf8949f9fc..c1c06e8512 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -12,7 +12,7 @@ param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvaccesspolicy' +param serviceShort string = 'kvaccesspol' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -46,7 +46,7 @@ module diagnosticDependencies '../../../../.shared/.templates/diagnostic.depende scope: resourceGroup name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' params: { - storageAccountName: 'dep${namePrefix}sa${serviceShort}03' + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' From 1910310c163d8007806af24ab632517615e69b44 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 20 Sep 2023 17:05:30 +0200 Subject: [PATCH 31/38] serviceShort string = 'kvvaccesspol' --- modules/key-vault/vault/.test/accesspolicies/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index c1c06e8512..786e2d3afc 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -12,7 +12,7 @@ param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvaccesspol' +param serviceShort string = 'kvvaccesspol' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From 17bce130deb5061b7689099fe93e423c5075daa6 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 20 Sep 2023 17:23:22 +0200 Subject: [PATCH 32/38] readme update --- modules/key-vault/vault/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 97df3ef0f1..7bb44293e0 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -410,10 +410,10 @@ The following module usage examples are retrieved from the content of the files ```bicep module vault './key-vault/vault/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-kvvaccesspolicy' + name: '${uniqueString(deployment().name, location)}-test-kvvaccesspol' params: { // Required parameters - name: 'kvvaccesspolicy002' + name: 'kvvaccesspol002' // Non-required parameters accessPolicies: [ { @@ -490,7 +490,7 @@ module vault './key-vault/vault/main.bicep' = { "parameters": { // Required parameters "name": { - "value": "kvvaccesspolicy002" + "value": "kvvaccesspol002" }, // Non-required parameters "accessPolicies": { From 20beb1afe39ebe78349c9495c1d1d6861a7e3c81 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 20 Sep 2023 18:18:41 +0200 Subject: [PATCH 33/38] serviceShort string = 'kvvrbac' --- .../key-vault/vault/.test/accesspolicies/main.test.bicep | 2 +- modules/key-vault/vault/README.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index 786e2d3afc..687ffdb8dc 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -12,7 +12,7 @@ param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvaccesspol' +param serviceShort string = 'kvvrbac' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 7bb44293e0..0c1dab6bbe 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -410,10 +410,10 @@ The following module usage examples are retrieved from the content of the files ```bicep module vault './key-vault/vault/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-kvvaccesspol' + name: '${uniqueString(deployment().name, location)}-test-kvvrbac' params: { // Required parameters - name: 'kvvaccesspol002' + name: 'kvvrbac002' // Non-required parameters accessPolicies: [ { @@ -490,7 +490,7 @@ module vault './key-vault/vault/main.bicep' = { "parameters": { // Required parameters "name": { - "value": "kvvaccesspol002" + "value": "kvvrbac002" }, // Non-required parameters "accessPolicies": { From 62d42075196e29364bb5365a407e0696a6e12d39 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Wed, 20 Sep 2023 20:07:03 +0200 Subject: [PATCH 34/38] removed comment --- modules/key-vault/vault/.test/accesspolicies/main.test.bicep | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index 687ffdb8dc..1888baf08f 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -68,7 +68,6 @@ module testDeployment '../../main.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - // Only for testing purposes enablePurgeProtection: false accessPolicies: [ { From 6ebfedced9dc72c148561d0d0e69468d6ba3faa8 Mon Sep 17 00:00:00 2001 From: elisa anzelmo Date: Thu, 21 Sep 2023 09:46:21 +0200 Subject: [PATCH 35/38] Update modules/key-vault/vault/.test/accesspolicies/main.test.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- modules/key-vault/vault/.test/accesspolicies/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep index 1888baf08f..f51833d1cb 100644 --- a/modules/key-vault/vault/.test/accesspolicies/main.test.bicep +++ b/modules/key-vault/vault/.test/accesspolicies/main.test.bicep @@ -12,7 +12,7 @@ param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvrbac' +param serviceShort string = 'kvvap' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From ec1fab006c8e9a3183a9dda6f9c53e06be16183c Mon Sep 17 00:00:00 2001 From: elisa anzelmo Date: Thu, 21 Sep 2023 09:46:37 +0200 Subject: [PATCH 36/38] Update modules/key-vault/vault/main.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- modules/key-vault/vault/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/key-vault/vault/main.bicep b/modules/key-vault/vault/main.bicep index bd0fdbd759..08892f54ee 100644 --- a/modules/key-vault/vault/main.bicep +++ b/modules/key-vault/vault/main.bicep @@ -37,7 +37,7 @@ param enableSoftDelete bool = true @description('Optional. softDelete data retention days. It accepts >=7 and <=90.') param softDeleteRetentionInDays int = 90 -@description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.') +@description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC.') param enableRbacAuthorization bool = true @description('Optional. The vault\'s create mode to indicate whether the vault need to be recovered or not. - recover or default.') From ef41af9ae7b160474179248e6fdfa9647c860ea9 Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Thu, 21 Sep 2023 09:51:11 +0200 Subject: [PATCH 37/38] readme update --- modules/key-vault/vault/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 0c1dab6bbe..4ef8894b70 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -47,7 +47,7 @@ This module deploys a Key Vault. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enablePurgeProtection` | bool | `True` | | Provide 'true' to enable Key Vault's purge protection feature. | -| `enableRbacAuthorization` | bool | `True` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | +| `enableRbacAuthorization` | bool | `True` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Switch to enable/disable Key Vault's soft delete feature. | | `enableVaultForDeployment` | bool | `True` | | Specifies if the vault is enabled for deployment by script or compute. | | `enableVaultForDiskEncryption` | bool | `True` | | Specifies if the azure platform has access to the vault for enabling disk encryption scenarios. | @@ -410,10 +410,10 @@ The following module usage examples are retrieved from the content of the files ```bicep module vault './key-vault/vault/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-kvvrbac' + name: '${uniqueString(deployment().name, location)}-test-kvvap' params: { // Required parameters - name: 'kvvrbac002' + name: 'kvvap002' // Non-required parameters accessPolicies: [ { @@ -490,7 +490,7 @@ module vault './key-vault/vault/main.bicep' = { "parameters": { // Required parameters "name": { - "value": "kvvrbac002" + "value": "kvvap002" }, // Non-required parameters "accessPolicies": { From a0a6447215323820b96e4f753d05755f3b01408a Mon Sep 17 00:00:00 2001 From: Elisa Anzelmo Date: Thu, 21 Sep 2023 10:01:16 +0200 Subject: [PATCH 38/38] main.json updated --- modules/key-vault/vault/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/key-vault/vault/main.json b/modules/key-vault/vault/main.json index fbdb37f520..e2d5cace78 100644 --- a/modules/key-vault/vault/main.json +++ b/modules/key-vault/vault/main.json @@ -86,7 +86,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC." + "description": "Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC." } }, "createMode": {