diff --git a/.azuredevops/modulePipelines/ms.storage.storageaccounts.yml b/.azuredevops/modulePipelines/ms.storage.storageaccounts.yml index 0dafd10e8b..4eefecb562 100644 --- a/.azuredevops/modulePipelines/ms.storage.storageaccounts.yml +++ b/.azuredevops/modulePipelines/ms.storage.storageaccounts.yml @@ -43,6 +43,7 @@ stages: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - path: $(modulePath)/.parameters/min.parameters.json + - path: $(modulePath)/.parameters/nfs.parameters.json - path: $(modulePath)/.parameters/parameters.json - path: $(modulePath)/.parameters/v1.parameters.json diff --git a/.github/workflows/ms.storage.storageaccounts.yml b/.github/workflows/ms.storage.storageaccounts.yml index aeb32ad24f..31341ed6f6 100644 --- a/.github/workflows/ms.storage.storageaccounts.yml +++ b/.github/workflows/ms.storage.storageaccounts.yml @@ -82,7 +82,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: - ['parameters.json', 'min.parameters.json', 'v1.parameters.json'] + ['parameters.json', 'min.parameters.json', 'nfs.parameters.json', 'v1.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/nfs.parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/nfs.parameters.json new file mode 100644 index 0000000000..7ae90dbdad --- /dev/null +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/nfs.parameters.json @@ -0,0 +1,64 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>azsax002" + }, + "storageAccountSku": { + "value": "Premium_LRS" + }, + "storageAccountKind": { + "value": "FileStorage" + }, + "allowBlobPublicAccess": { + "value": false + }, + "supportsHttpsTrafficOnly": { + "value": false + }, + "fileServices": { + "value": { + "shares": [ + { + "name": "nfsfileshare", + "enabledProtocols": "NFS" + } + ] + } + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + } + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + }, + "diagnosticWorkspaceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + }, + "diagnosticEventHubName": { + "value": "adp-<>-az-evh-x-001" + } + } +} diff --git a/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md b/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md index 73bf955e50..fabfe84131 100644 --- a/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md @@ -31,7 +31,6 @@ This module can be used to deploy a blob service into a storage account. | `name` | string | `default` | | Optional. The name of the blob service | | `storageAccountName` | string | | | Required. Name of the Storage Account. | - ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep index 838a8539a8..1bb501d4c4 100644 --- a/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep @@ -108,11 +108,13 @@ resource fileServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@ } module fileServices_shares 'shares/deploy.bicep' = [for (share, index) in shares: { - name: '${deployment().name}-File-${index}' + name: '${deployment().name}-shares-${index}' params: { storageAccountName: storageAccount.name fileServicesName: fileServices.name name: share.name + enabledProtocols: contains(share, 'enabledProtocols') ? share.enabledProtocols : 'SMB' + rootSquash: contains(share, 'rootSquash') ? share.rootSquash : 'NoRootSquash' sharedQuota: contains(share, 'sharedQuota') ? share.sharedQuota : 5120 roleAssignments: contains(share, 'roleAssignments') ? share.roleAssignments : [] } diff --git a/arm/Microsoft.Storage/storageAccounts/fileServices/shares/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/fileServices/shares/deploy.bicep index 5c19a0f042..2c59b7a933 100644 --- a/arm/Microsoft.Storage/storageAccounts/fileServices/shares/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/fileServices/shares/deploy.bicep @@ -11,6 +11,21 @@ param name string @description('Optional. The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5TB (5120). For Large File Shares, the maximum size is 102400.') param sharedQuota int = 5120 +@allowed([ + 'NFS' + 'SMB' +]) +@description('Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share.') +param enabledProtocols string = 'SMB' + +@allowed([ + 'AllSquash' + 'NoRootSquash' + 'RootSquash' +]) +@description('Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares.') +param rootSquash string = 'NoRootSquash' + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] @@ -30,11 +45,13 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' existing } } -resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2019-06-01' = { +resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2021-08-01' = { name: name parent: storageAccount::fileService properties: { shareQuota: sharedQuota + rootSquash: enabledProtocols == 'NFS' ? rootSquash : null + enabledProtocols: enabledProtocols } } diff --git a/arm/Microsoft.Storage/storageAccounts/fileServices/shares/readme.md b/arm/Microsoft.Storage/storageAccounts/fileServices/shares/readme.md index 1ce7b8757f..9037718da9 100644 --- a/arm/Microsoft.Storage/storageAccounts/fileServices/shares/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/fileServices/shares/readme.md @@ -7,16 +7,18 @@ This module deploys a storage account file share. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Storage/storageAccounts/fileServices/shares` | 2019-06-01 | +| `Microsoft.Storage/storageAccounts/fileServices/shares` | 2021-08-01 | ## Parameters | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `enabledProtocols` | string | `SMB` | `[NFS, SMB]` | Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share. | | `fileServicesName` | string | `default` | | Optional. The name of the file service | | `name` | string | | | Required. The name of the file share to create | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `rootSquash` | string | `NoRootSquash` | `[AllSquash, NoRootSquash, RootSquash]` | Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares. | | `sharedQuota` | int | `5120` | | Optional. The maximum size of the share, in gigabytes. Must be greater than 0, and less than or equal to 5TB (5120). For Large File Shares, the maximum size is 102400. | | `storageAccountName` | string | | | Required. Name of the Storage Account. | @@ -53,4 +55,4 @@ This module deploys a storage account file share. ## Template references - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -- [Storageaccounts/Fileservices/Shares](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/fileServices/shares) +- [Storageaccounts/Fileservices/Shares](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-08-01/storageAccounts/fileServices/shares) diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md b/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md index c22e0b3c80..7b87611be7 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md @@ -27,7 +27,6 @@ This module can be used to deploy a file share service into a storage account. | `queues` | _[queues](queues/readme.md)_ array | `[]` | | Optional. Queues to create. | | `storageAccountName` | string | | | Required. Name of the Storage Account. | - ## Outputs | Output Name | Type | Description |