From f36470e18a2f8f5be201fcefab86fbe7a71459a3 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Fri, 4 Mar 2022 23:36:51 +0100 Subject: [PATCH 01/17] Add publicNetworkAccess --- .../.parameters/parameters.json | 3 + .../storageAccounts/deploy.bicep | 81 ++++++++++--------- .../storageAccounts/readme.md | 5 +- 3 files changed, 51 insertions(+), 38 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index f7dd177740..220d3cca01 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -11,6 +11,9 @@ "allowBlobPublicAccess": { "value": false }, + "publicNetworkAccess": { + "value": false + }, "requireInfrastructureEncryption": { "value": true }, diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index fab95df512..2fe13b05a3 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -122,6 +122,14 @@ param cuaId string = '' @description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') param basetime string = utcNow('u') +@allowed([ + 'Enabled' + 'Disabled' +]) + +@description('Optional. Enable or disallow public network access to Storage Account..') +param publicNetworkAccess string = 'Enabled' + @description('Optional. Allows https traffic only to storage service if sets to true.') param supportsHttpsTrafficOnly bool = true @@ -146,52 +154,27 @@ var diagnosticsMetrics = [for metric in metricsToEnable: { var virtualNetworkRules = [for index in range(0, (empty(networkAcls) ? 0 : length(networkAcls.virtualNetworkRules))): { id: '${vNetId}/subnets/${networkAcls.virtualNetworkRules[index].subnet}' }] -var networkAcls_var = { - bypass: (empty(networkAcls) ? null : networkAcls.bypass) - defaultAction: (empty(networkAcls) ? null : networkAcls.defaultAction) - virtualNetworkRules: (empty(networkAcls) ? null : virtualNetworkRules) - ipRules: (empty(networkAcls) ? null : ((length(networkAcls.ipRules) == 0) ? null : networkAcls.ipRules)) -} -var azureFilesIdentityBasedAuthentication_var = azureFilesIdentityBasedAuthentication var maxNameLength = 24 var uniqueStoragenameUntrim = '${uniqueString('Storage Account${basetime}')}' var uniqueStoragename = length(uniqueStoragenameUntrim) > maxNameLength ? substring(uniqueStoragenameUntrim, 0, maxNameLength) : uniqueStoragenameUntrim -var saBaseProperties = { - encryption: { - keySource: 'Microsoft.Storage' - services: { - blob: (((storageAccountKind == 'BlockBlobStorage') || (storageAccountKind == 'BlobStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) - file: (((storageAccountKind == 'FileStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) - } - } - accessTier: (storageAccountKind == 'Storage') ? null : storageAccountAccessTier - supportsHttpsTrafficOnly: supportsHttpsTrafficOnly - isHnsEnabled: ((!enableHierarchicalNamespace) ? null : enableHierarchicalNamespace) - minimumTlsVersion: minimumTlsVersion - networkAcls: (empty(networkAcls) ? null : networkAcls_var) - allowBlobPublicAccess: allowBlobPublicAccess - requireInfrastructureEncryption: requireInfrastructureEncryption -} -var saOptIdBasedAuthProperties = { - azureFilesIdentityBasedAuthentication: azureFilesIdentityBasedAuthentication_var -} -var saProperties = (empty(azureFilesIdentityBasedAuthentication) ? saBaseProperties : union(saBaseProperties, saOptIdBasedAuthProperties)) +var supportsBlobService = storageAccountKind == 'BlockBlobStorage' || storageAccountKind == 'BlobStorage' || storageAccountKind == 'StorageV2' || storageAccountKind == 'Storage' +var supportsFileService = storageAccountKind == 'FileStorage' || storageAccountKind == 'StorageV2' || storageAccountKind == 'Storage' var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { type: identityType userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} : null +} : {} module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} } -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { name: !empty(name) ? name : uniqueStoragename location: location kind: storageAccountKind @@ -200,16 +183,42 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { } identity: identity tags: tags - properties: saProperties + properties: { + encryption: { + keySource: 'Microsoft.Storage' + services: { + blob: supportsBlobService ? { + enabled: true + } : null + file: supportsFileService ? { + enabled: true + } : null + } + requireInfrastructureEncryption: requireInfrastructureEncryption + } + accessTier: storageAccountKind != 'Storage' ? storageAccountAccessTier : null + supportsHttpsTrafficOnly: supportsHttpsTrafficOnly + isHnsEnabled: enableHierarchicalNamespace ? enableHierarchicalNamespace : null + minimumTlsVersion: minimumTlsVersion + networkAcls: !empty(networkAcls) ? { + bypass: !empty(networkAcls) ? networkAcls.bypass : null + defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null + virtualNetworkRules: !empty(networkAcls) ? virtualNetworkRules : null + ipRules: !empty(networkAcls) ? (length(networkAcls.ipRules) != 0 ? networkAcls.ipRules : null) : null + } : null + allowBlobPublicAccess: allowBlobPublicAccess + publicNetworkAccess: publicNetworkAccess + azureFilesIdentityBasedAuthentication: !empty(azureFilesIdentityBasedAuthentication) ? azureFilesIdentityBasedAuthentication : null + } } resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { name: '${storageAccount.name}-diagnosticSettings' properties: { - storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId - workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId - eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId - eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null + eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null + eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null metrics: diagnosticsMetrics } scope: storageAccount @@ -219,7 +228,7 @@ resource storageAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lo name: '${storageAccount.name}-${lock}-lock' properties: { level: lock - notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: storageAccount } @@ -237,7 +246,7 @@ module storageAccount_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [ name: '${uniqueString(deployment().name, location)}-Storage-PrivateEndpoints-${index}' params: { privateEndpointResourceId: storageAccount.id - privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpointVnetLocation: !empty(privateEndpoints) ? reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location : 'dummy' privateEndpointObj: endpoint tags: tags } diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md index cc59f86366..57f8ab849f 100644 --- a/arm/Microsoft.Storage/storageAccounts/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -11,7 +11,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Network/privateEndpoints` | 2021-05-01 | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | -| `Microsoft.Storage/storageAccounts` | 2021-06-01 | +| `Microsoft.Storage/storageAccounts` | 2021-08-01 | | `Microsoft.Storage/storageAccounts/blobServices` | 2021-06-01 | | `Microsoft.Storage/storageAccounts/blobServices/containers` | 2019-06-01 | | `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies` | 2019-06-01 | @@ -47,6 +47,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `name` | string | | | Optional. Name of the Storage Account. | | `networkAcls` | object | `{object}` | | Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny | | `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible | +| `publicNetworkAccess` | string | `Enabled` | `[Enabled, Disabled]` | Optional. Enable or disallow public network access to Storage Account.. | | `queueServices` | _[queueServices](queueServices/readme.md)_ object | `{object}` | | Optional. Queue service and queues to create. | | `requireInfrastructureEncryption` | bool | `True` | | Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | @@ -187,7 +188,7 @@ The hierarchical namespace of the storage account (see parameter `enableHierarch - [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) - [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -- [Storageaccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-06-01/storageAccounts) +- [Storageaccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-08-01/storageAccounts) - [Storageaccounts/Blobservices](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-06-01/storageAccounts/blobServices) - [Storageaccounts/Blobservices/Containers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers) - [Storageaccounts/Blobservices/Containers/Immutabilitypolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers/immutabilityPolicies) From c09280f41f6ddf840e822f3febf15c37577406cc Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 00:11:17 +0100 Subject: [PATCH 02/17] fix --- .../storageAccounts/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 220d3cca01..09f382a7c6 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -12,7 +12,7 @@ "value": false }, "publicNetworkAccess": { - "value": false + "value": "Disabled" }, "requireInfrastructureEncryption": { "value": true From 97e8e2d62188f80284910aa8099750dac407186d Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 10:39:49 +0100 Subject: [PATCH 03/17] Test requireInfraEnc --- .../.parameters/parameters.json | 6 +- .../storageAccounts/deploy.bicep | 81 +++++++++---------- 2 files changed, 39 insertions(+), 48 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 09f382a7c6..d9e3a2ecd5 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -11,9 +11,9 @@ "allowBlobPublicAccess": { "value": false }, - "publicNetworkAccess": { - "value": "Disabled" - }, + // "publicNetworkAccess": { + // "value": "Disabled" + // }, "requireInfrastructureEncryption": { "value": true }, diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index 2fe13b05a3..fab95df512 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -122,14 +122,6 @@ param cuaId string = '' @description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') param basetime string = utcNow('u') -@allowed([ - 'Enabled' - 'Disabled' -]) - -@description('Optional. Enable or disallow public network access to Storage Account..') -param publicNetworkAccess string = 'Enabled' - @description('Optional. Allows https traffic only to storage service if sets to true.') param supportsHttpsTrafficOnly bool = true @@ -154,27 +146,52 @@ var diagnosticsMetrics = [for metric in metricsToEnable: { var virtualNetworkRules = [for index in range(0, (empty(networkAcls) ? 0 : length(networkAcls.virtualNetworkRules))): { id: '${vNetId}/subnets/${networkAcls.virtualNetworkRules[index].subnet}' }] +var networkAcls_var = { + bypass: (empty(networkAcls) ? null : networkAcls.bypass) + defaultAction: (empty(networkAcls) ? null : networkAcls.defaultAction) + virtualNetworkRules: (empty(networkAcls) ? null : virtualNetworkRules) + ipRules: (empty(networkAcls) ? null : ((length(networkAcls.ipRules) == 0) ? null : networkAcls.ipRules)) +} +var azureFilesIdentityBasedAuthentication_var = azureFilesIdentityBasedAuthentication var maxNameLength = 24 var uniqueStoragenameUntrim = '${uniqueString('Storage Account${basetime}')}' var uniqueStoragename = length(uniqueStoragenameUntrim) > maxNameLength ? substring(uniqueStoragenameUntrim, 0, maxNameLength) : uniqueStoragenameUntrim -var supportsBlobService = storageAccountKind == 'BlockBlobStorage' || storageAccountKind == 'BlobStorage' || storageAccountKind == 'StorageV2' || storageAccountKind == 'Storage' -var supportsFileService = storageAccountKind == 'FileStorage' || storageAccountKind == 'StorageV2' || storageAccountKind == 'Storage' +var saBaseProperties = { + encryption: { + keySource: 'Microsoft.Storage' + services: { + blob: (((storageAccountKind == 'BlockBlobStorage') || (storageAccountKind == 'BlobStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) + file: (((storageAccountKind == 'FileStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) + } + } + accessTier: (storageAccountKind == 'Storage') ? null : storageAccountAccessTier + supportsHttpsTrafficOnly: supportsHttpsTrafficOnly + isHnsEnabled: ((!enableHierarchicalNamespace) ? null : enableHierarchicalNamespace) + minimumTlsVersion: minimumTlsVersion + networkAcls: (empty(networkAcls) ? null : networkAcls_var) + allowBlobPublicAccess: allowBlobPublicAccess + requireInfrastructureEncryption: requireInfrastructureEncryption +} +var saOptIdBasedAuthProperties = { + azureFilesIdentityBasedAuthentication: azureFilesIdentityBasedAuthentication_var +} +var saProperties = (empty(azureFilesIdentityBasedAuthentication) ? saBaseProperties : union(saBaseProperties, saOptIdBasedAuthProperties)) var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { type: identityType userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} : {} +} : null module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} } -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { name: !empty(name) ? name : uniqueStoragename location: location kind: storageAccountKind @@ -183,42 +200,16 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { } identity: identity tags: tags - properties: { - encryption: { - keySource: 'Microsoft.Storage' - services: { - blob: supportsBlobService ? { - enabled: true - } : null - file: supportsFileService ? { - enabled: true - } : null - } - requireInfrastructureEncryption: requireInfrastructureEncryption - } - accessTier: storageAccountKind != 'Storage' ? storageAccountAccessTier : null - supportsHttpsTrafficOnly: supportsHttpsTrafficOnly - isHnsEnabled: enableHierarchicalNamespace ? enableHierarchicalNamespace : null - minimumTlsVersion: minimumTlsVersion - networkAcls: !empty(networkAcls) ? { - bypass: !empty(networkAcls) ? networkAcls.bypass : null - defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null - virtualNetworkRules: !empty(networkAcls) ? virtualNetworkRules : null - ipRules: !empty(networkAcls) ? (length(networkAcls.ipRules) != 0 ? networkAcls.ipRules : null) : null - } : null - allowBlobPublicAccess: allowBlobPublicAccess - publicNetworkAccess: publicNetworkAccess - azureFilesIdentityBasedAuthentication: !empty(azureFilesIdentityBasedAuthentication) ? azureFilesIdentityBasedAuthentication : null - } + properties: saProperties } resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { name: '${storageAccount.name}-diagnosticSettings' properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null + storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId + workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId + eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId + eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName metrics: diagnosticsMetrics } scope: storageAccount @@ -228,7 +219,7 @@ resource storageAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lo name: '${storageAccount.name}-${lock}-lock' properties: { level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: storageAccount } @@ -246,7 +237,7 @@ module storageAccount_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [ name: '${uniqueString(deployment().name, location)}-Storage-PrivateEndpoints-${index}' params: { privateEndpointResourceId: storageAccount.id - privateEndpointVnetLocation: !empty(privateEndpoints) ? reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location : 'dummy' + privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) privateEndpointObj: endpoint tags: tags } From 32dc452ebd756bb3f98519eddb1728237bcb4747 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 11:04:15 +0100 Subject: [PATCH 04/17] shuffle around on vars and properties --- .../storageAccounts/deploy.bicep | 51 ++++++++----------- 1 file changed, 22 insertions(+), 29 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index fab95df512..fbe20e8334 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -146,39 +146,11 @@ var diagnosticsMetrics = [for metric in metricsToEnable: { var virtualNetworkRules = [for index in range(0, (empty(networkAcls) ? 0 : length(networkAcls.virtualNetworkRules))): { id: '${vNetId}/subnets/${networkAcls.virtualNetworkRules[index].subnet}' }] -var networkAcls_var = { - bypass: (empty(networkAcls) ? null : networkAcls.bypass) - defaultAction: (empty(networkAcls) ? null : networkAcls.defaultAction) - virtualNetworkRules: (empty(networkAcls) ? null : virtualNetworkRules) - ipRules: (empty(networkAcls) ? null : ((length(networkAcls.ipRules) == 0) ? null : networkAcls.ipRules)) -} -var azureFilesIdentityBasedAuthentication_var = azureFilesIdentityBasedAuthentication var maxNameLength = 24 var uniqueStoragenameUntrim = '${uniqueString('Storage Account${basetime}')}' var uniqueStoragename = length(uniqueStoragenameUntrim) > maxNameLength ? substring(uniqueStoragenameUntrim, 0, maxNameLength) : uniqueStoragenameUntrim -var saBaseProperties = { - encryption: { - keySource: 'Microsoft.Storage' - services: { - blob: (((storageAccountKind == 'BlockBlobStorage') || (storageAccountKind == 'BlobStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) - file: (((storageAccountKind == 'FileStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) - } - } - accessTier: (storageAccountKind == 'Storage') ? null : storageAccountAccessTier - supportsHttpsTrafficOnly: supportsHttpsTrafficOnly - isHnsEnabled: ((!enableHierarchicalNamespace) ? null : enableHierarchicalNamespace) - minimumTlsVersion: minimumTlsVersion - networkAcls: (empty(networkAcls) ? null : networkAcls_var) - allowBlobPublicAccess: allowBlobPublicAccess - requireInfrastructureEncryption: requireInfrastructureEncryption -} -var saOptIdBasedAuthProperties = { - azureFilesIdentityBasedAuthentication: azureFilesIdentityBasedAuthentication_var -} -var saProperties = (empty(azureFilesIdentityBasedAuthentication) ? saBaseProperties : union(saBaseProperties, saOptIdBasedAuthProperties)) - var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -200,7 +172,28 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { } identity: identity tags: tags - properties: saProperties + properties: { + encryption: { + keySource: 'Microsoft.Storage' + services: { + blob: (((storageAccountKind == 'BlockBlobStorage') || (storageAccountKind == 'BlobStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) + file: (((storageAccountKind == 'FileStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) + } + } + accessTier: (storageAccountKind == 'Storage') ? null : storageAccountAccessTier + supportsHttpsTrafficOnly: supportsHttpsTrafficOnly + isHnsEnabled: ((!enableHierarchicalNamespace) ? null : enableHierarchicalNamespace) + minimumTlsVersion: minimumTlsVersion + networkAcls: !empty(networkAcls) ? { + bypass: !empty(networkAcls) ? networkAcls.bypass : null + defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null + virtualNetworkRules: !empty(networkAcls) ? virtualNetworkRules : null + ipRules: !empty(networkAcls) ? ((length(networkAcls.ipRules) != 0) ? networkAcls.ipRules : null) : null + } : null + allowBlobPublicAccess: allowBlobPublicAccess + requireInfrastructureEncryption: requireInfrastructureEncryption + azureFilesIdentityBasedAuthentication: !empty(azureFilesIdentityBasedAuthentication) ? azureFilesIdentityBasedAuthentication : null + } } resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { From d6e98c71cea752e904cea3dc7b35f3aa76714e61 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 11:11:36 +0100 Subject: [PATCH 05/17] Test --- .github/workflows/ms.storage.storageaccounts.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ms.storage.storageaccounts.yml b/.github/workflows/ms.storage.storageaccounts.yml index aeb32ad24f..11014f3555 100644 --- a/.github/workflows/ms.storage.storageaccounts.yml +++ b/.github/workflows/ms.storage.storageaccounts.yml @@ -7,15 +7,15 @@ on: type: boolean description: 'Remove deployed module' required: false - default: 'true' + default: 'false' # TODO set to true before PR prerelease: type: boolean description: 'Publish prerelease module' required: false default: 'false' push: - branches: - - main + # branches: + # - main paths: - '.github/actions/templates/**' - '.github/workflows/ms.storage.storageaccounts.yml' @@ -82,7 +82,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: - ['parameters.json', 'min.parameters.json', 'v1.parameters.json'] + ['parameters.json'] #['parameters.json', 'min.parameters.json', 'v1.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 From 14e6ca5064237d77ec22375ffa4146300feb3573 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 11:30:58 +0100 Subject: [PATCH 06/17] test --- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index fbe20e8334..05a78c166e 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -179,6 +179,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { blob: (((storageAccountKind == 'BlockBlobStorage') || (storageAccountKind == 'BlobStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) file: (((storageAccountKind == 'FileStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) } + requireInfrastructureEncryption: requireInfrastructureEncryption } accessTier: (storageAccountKind == 'Storage') ? null : storageAccountAccessTier supportsHttpsTrafficOnly: supportsHttpsTrafficOnly @@ -191,7 +192,6 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { ipRules: !empty(networkAcls) ? ((length(networkAcls.ipRules) != 0) ? networkAcls.ipRules : null) : null } : null allowBlobPublicAccess: allowBlobPublicAccess - requireInfrastructureEncryption: requireInfrastructureEncryption azureFilesIdentityBasedAuthentication: !empty(azureFilesIdentityBasedAuthentication) ? azureFilesIdentityBasedAuthentication : null } } From 3c8e83044d8b22d3a0b4131513013016faf402db Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 14:24:26 +0100 Subject: [PATCH 07/17] test reqInfraEnc false --- .../storageAccounts/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index d9e3a2ecd5..501807b932 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -15,7 +15,7 @@ // "value": "Disabled" // }, "requireInfrastructureEncryption": { - "value": true + "value": false }, "privateEndpoints": { "value": [ From 848459fc614d53bd8e28c513d74b21e774ea4330 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 14:42:19 +0100 Subject: [PATCH 08/17] Test publicNetowkrAccess property --- .../.parameters/parameters.json | 8 ++++---- .../storageAccounts/deploy.bicep | 20 +++++++++++++++++-- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 501807b932..09f382a7c6 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -11,11 +11,11 @@ "allowBlobPublicAccess": { "value": false }, - // "publicNetworkAccess": { - // "value": "Disabled" - // }, + "publicNetworkAccess": { + "value": "Disabled" + }, "requireInfrastructureEncryption": { - "value": false + "value": true }, "privateEndpoints": { "value": [ diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index 05a78c166e..3ca20229a6 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -122,6 +122,14 @@ param cuaId string = '' @description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') param basetime string = utcNow('u') +@allowed([ + 'Enabled' + 'Disabled' +]) + +@description('Optional. Enable or disallow public network access to Storage Account..') +param publicNetworkAccess string = 'Enabled' + @description('Optional. Allows https traffic only to storage service if sets to true.') param supportsHttpsTrafficOnly bool = true @@ -151,6 +159,9 @@ var maxNameLength = 24 var uniqueStoragenameUntrim = '${uniqueString('Storage Account${basetime}')}' var uniqueStoragename = length(uniqueStoragenameUntrim) > maxNameLength ? substring(uniqueStoragenameUntrim, 0, maxNameLength) : uniqueStoragenameUntrim +var supportsBlobService = storageAccountKind == 'BlockBlobStorage' || storageAccountKind == 'BlobStorage' || storageAccountKind == 'StorageV2' || storageAccountKind == 'Storage' +var supportsFileService = storageAccountKind == 'FileStorage' || storageAccountKind == 'StorageV2' || storageAccountKind == 'Storage' + var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -176,8 +187,12 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { encryption: { keySource: 'Microsoft.Storage' services: { - blob: (((storageAccountKind == 'BlockBlobStorage') || (storageAccountKind == 'BlobStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) - file: (((storageAccountKind == 'FileStorage') || (storageAccountKind == 'StorageV2') || (storageAccountKind == 'Storage')) ? json('{"enabled": true}') : null) + blob: supportsBlobService ? { + enabled: true + } : null + file: supportsFileService ? { + enabled: true + } : null } requireInfrastructureEncryption: requireInfrastructureEncryption } @@ -192,6 +207,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { ipRules: !empty(networkAcls) ? ((length(networkAcls.ipRules) != 0) ? networkAcls.ipRules : null) : null } : null allowBlobPublicAccess: allowBlobPublicAccess + publicNetworkAccess: publicNetworkAccess azureFilesIdentityBasedAuthentication: !empty(azureFilesIdentityBasedAuthentication) ? azureFilesIdentityBasedAuthentication : null } } From 21f12915b6e63bdd3847543694feaba61ba79b5f Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 14:55:03 +0100 Subject: [PATCH 09/17] Test enabling the publicNetworkAccess property --- .../storageAccounts/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 09f382a7c6..91098bf26f 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -12,7 +12,7 @@ "value": false }, "publicNetworkAccess": { - "value": "Disabled" + "value": "Enabled" }, "requireInfrastructureEncryption": { "value": true From 6160a7e5fbd5a5b7a119ded7317a401d01e81c5a Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 15:12:39 +0100 Subject: [PATCH 10/17] Test refactor SA --- .../storageAccounts/.parameters/parameters.json | 2 +- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 91098bf26f..09f382a7c6 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -12,7 +12,7 @@ "value": false }, "publicNetworkAccess": { - "value": "Enabled" + "value": "Disabled" }, "requireInfrastructureEncryption": { "value": true diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index 3ca20229a6..de8db50179 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -215,10 +215,10 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { name: '${storageAccount.name}-diagnosticSettings' properties: { - storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId - workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId - eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId - eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null + eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null + eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null metrics: diagnosticsMetrics } scope: storageAccount @@ -228,7 +228,7 @@ resource storageAccount_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lo name: '${storageAccount.name}-${lock}-lock' properties: { level: lock - notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } scope: storageAccount } @@ -246,7 +246,7 @@ module storageAccount_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [ name: '${uniqueString(deployment().name, location)}-Storage-PrivateEndpoints-${index}' params: { privateEndpointResourceId: storageAccount.id - privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpointVnetLocation: !empty(privateEndpoints) ? reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location : 'dummy' privateEndpointObj: endpoint tags: tags } From 61e4d6248902180c38afe0eceaa9c8b9cace864e Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 15:27:25 +0100 Subject: [PATCH 11/17] Test further refactoring --- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index de8db50179..19ed56bcf9 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -196,15 +196,15 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { } requireInfrastructureEncryption: requireInfrastructureEncryption } - accessTier: (storageAccountKind == 'Storage') ? null : storageAccountAccessTier + accessTier: storageAccountKind != 'Storage' ? storageAccountAccessTier : null supportsHttpsTrafficOnly: supportsHttpsTrafficOnly - isHnsEnabled: ((!enableHierarchicalNamespace) ? null : enableHierarchicalNamespace) + isHnsEnabled: enableHierarchicalNamespace ? enableHierarchicalNamespace : null minimumTlsVersion: minimumTlsVersion networkAcls: !empty(networkAcls) ? { bypass: !empty(networkAcls) ? networkAcls.bypass : null defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null virtualNetworkRules: !empty(networkAcls) ? virtualNetworkRules : null - ipRules: !empty(networkAcls) ? ((length(networkAcls.ipRules) != 0) ? networkAcls.ipRules : null) : null + ipRules: !empty(networkAcls) ? (length(networkAcls.ipRules) != 0 ? networkAcls.ipRules : null) : null } : null allowBlobPublicAccess: allowBlobPublicAccess publicNetworkAccess: publicNetworkAccess From 62ebe4c61068c6e5a07924dece63975ffd328ce0 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 15:39:55 +0100 Subject: [PATCH 12/17] upgrade version --- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index 19ed56bcf9..5a9f091387 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -174,7 +174,7 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { name: !empty(name) ? name : uniqueStoragename location: location kind: storageAccountKind From 236fbaa00229ffa230b207db1eeb804a33b5b934 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 15:52:38 +0100 Subject: [PATCH 13/17] Test more scenarios --- .github/workflows/ms.storage.storageaccounts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ms.storage.storageaccounts.yml b/.github/workflows/ms.storage.storageaccounts.yml index 11014f3555..40951ef59a 100644 --- a/.github/workflows/ms.storage.storageaccounts.yml +++ b/.github/workflows/ms.storage.storageaccounts.yml @@ -82,7 +82,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: - ['parameters.json'] #['parameters.json', 'min.parameters.json', 'v1.parameters.json'] + ['parameters.json', 'min.parameters.json', 'v1.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 From fd714468eaf42ba47c16a7d2bd51c4af642d935c Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 15:53:04 +0100 Subject: [PATCH 14/17] reset removeal to true --- .github/workflows/ms.storage.storageaccounts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ms.storage.storageaccounts.yml b/.github/workflows/ms.storage.storageaccounts.yml index 40951ef59a..50b2de5481 100644 --- a/.github/workflows/ms.storage.storageaccounts.yml +++ b/.github/workflows/ms.storage.storageaccounts.yml @@ -7,7 +7,7 @@ on: type: boolean description: 'Remove deployed module' required: false - default: 'false' # TODO set to true before PR + default: 'true' prerelease: type: boolean description: 'Publish prerelease module' From 3fe58784c9e7f0d3d20c0a48608b875c03f4347d Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 16:12:58 +0100 Subject: [PATCH 15/17] requireInfraEnc not supported on "Storage" (v1) --- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index 5a9f091387..ec31d0df66 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -194,7 +194,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { enabled: true } : null } - requireInfrastructureEncryption: requireInfrastructureEncryption + requireInfrastructureEncryption: storageAccountKind != 'Storage' ? requireInfrastructureEncryption : null } accessTier: storageAccountKind != 'Storage' ? storageAccountAccessTier : null supportsHttpsTrafficOnly: supportsHttpsTrafficOnly From 06a971689d652cfa9a63c47fb11f4afb3ff97c1a Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 16:49:39 +0100 Subject: [PATCH 16/17] capitalization --- arm/Microsoft.Storage/storageAccounts/deploy.bicep | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index ec31d0df66..854dcc7b97 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -156,14 +156,13 @@ var virtualNetworkRules = [for index in range(0, (empty(networkAcls) ? 0 : lengt }] var maxNameLength = 24 -var uniqueStoragenameUntrim = '${uniqueString('Storage Account${basetime}')}' -var uniqueStoragename = length(uniqueStoragenameUntrim) > maxNameLength ? substring(uniqueStoragenameUntrim, 0, maxNameLength) : uniqueStoragenameUntrim +var uniqueStorageNameUntrim = '${uniqueString('Storage Account${basetime}')}' +var uniqueStorageName = length(uniqueStorageNameUntrim) > maxNameLength ? substring(uniqueStorageNameUntrim, 0, maxNameLength) : uniqueStorageNameUntrim var supportsBlobService = storageAccountKind == 'BlockBlobStorage' || storageAccountKind == 'BlobStorage' || storageAccountKind == 'StorageV2' || storageAccountKind == 'Storage' var supportsFileService = storageAccountKind == 'FileStorage' || storageAccountKind == 'StorageV2' || storageAccountKind == 'Storage' var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') - var identity = identityType != 'None' ? { type: identityType userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null @@ -175,7 +174,7 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { } resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { - name: !empty(name) ? name : uniqueStoragename + name: !empty(name) ? name : uniqueStorageName location: location kind: storageAccountKind sku: { From b05492120e54daf7691a20c074c7e37414baf2c8 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 17:06:31 +0100 Subject: [PATCH 17/17] Reset workflow file --- .github/workflows/ms.storage.storageaccounts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ms.storage.storageaccounts.yml b/.github/workflows/ms.storage.storageaccounts.yml index 50b2de5481..aeb32ad24f 100644 --- a/.github/workflows/ms.storage.storageaccounts.yml +++ b/.github/workflows/ms.storage.storageaccounts.yml @@ -14,8 +14,8 @@ on: required: false default: 'false' push: - # branches: - # - main + branches: + - main paths: - '.github/actions/templates/**' - '.github/workflows/ms.storage.storageaccounts.yml'