diff --git a/.azuredevops/modulePipelines/ms.network.virtualwans.yml b/.azuredevops/modulePipelines/ms.network.virtualwans.yml index bef3372daf..11ce9c3a01 100644 --- a/.azuredevops/modulePipelines/ms.network.virtualwans.yml +++ b/.azuredevops/modulePipelines/ms.network.virtualwans.yml @@ -42,6 +42,7 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: + - path: $(modulePath)/.parameters/min.parameters.json - path: $(modulePath)/.parameters/parameters.json - stage: Publishing diff --git a/.github/workflows/ms.network.virtualwans.yml b/.github/workflows/ms.network.virtualwans.yml index b07c7830f3..5a22fd96b5 100644 --- a/.github/workflows/ms.network.virtualwans.yml +++ b/.github/workflows/ms.network.virtualwans.yml @@ -81,7 +81,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json'] + parameterFilePaths: ['min.parameters.json', 'parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 diff --git a/arm/Microsoft.Network/virtualHubs/deploy.bicep b/arm/Microsoft.Network/virtualHubs/deploy.bicep index c7c7437961..7476ba632a 100644 --- a/arm/Microsoft.Network/virtualHubs/deploy.bicep +++ b/arm/Microsoft.Network/virtualHubs/deploy.bicep @@ -68,6 +68,14 @@ param hubRouteTables array = [] @description('Optional. Virtual network connections to create for the virtual hub.') param hubVirtualNetworkConnections array = [] +@allowed([ + 'CanNotDelete' + 'NotSpecified' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = 'NotSpecified' + @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' @@ -113,6 +121,15 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2021-05-01' = { } } +resource virtualHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${virtualHub.name}-${lock}-lock' + properties: { + level: lock + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: virtualHub +} + module virtualHub_routeTables 'hubRouteTables/deploy.bicep' = [for (routeTable, index) in hubRouteTables: { name: '${uniqueString(deployment().name, location)}-routeTable-${index}' params: { diff --git a/arm/Microsoft.Network/virtualHubs/readme.md b/arm/Microsoft.Network/virtualHubs/readme.md index dc649408c2..d37af7b81a 100644 --- a/arm/Microsoft.Network/virtualHubs/readme.md +++ b/arm/Microsoft.Network/virtualHubs/readme.md @@ -6,6 +6,7 @@ This module deploys a virtual hub. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/locks` | 2017-04-01 | | `Microsoft.Network/virtualHubs` | 2021-05-01 | | `Microsoft.Network/virtualHubs/hubRouteTables` | 2021-05-01 | | `Microsoft.Network/virtualHubs/hubVirtualNetworkConnections` | 2021-05-01 | @@ -22,13 +23,14 @@ This module deploys a virtual hub. | `hubRouteTables` | _[hubRouteTables](hubRouteTables/readme.md)_ array | `[]` | | Optional. Route tables to create for the virtual hub. | | `hubVirtualNetworkConnections` | _[hubVirtualNetworkConnections](hubVirtualNetworkConnections/readme.md)_ array | `[]` | | Optional. Virtual network connections to create for the virtual hub. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `name` | string | | | Required. The virtual hub name. | | `p2SVpnGatewayId` | string | | | Optional. Resource ID of the Point-to-Site VPN Gateway to link to | | `preferredRoutingGateway` | string | | `[ExpressRoute, None, VpnGateway, ]` | Optional. The preferred routing gateway types | | `routeTableRoutes` | array | `[]` | | Optional. VirtualHub route tables | | `securityPartnerProviderId` | string | | | Optional. ID of the Security Partner Provider to link to | | `securityProviderName` | string | | | Optional. The Security Provider name. | -| `sku` | string | `Standard` | `Basic`,`Standard` | Optional. The sku of this VirtualHub. | +| `sku` | string | `Standard` | `[Basic, Standard]` | Optional. The sku of this VirtualHub. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `virtualHubRouteTableV2s` | array | `[]` | | Optional. List of all virtual hub route table v2s associated with this VirtualHub. | | `virtualRouterAsn` | int | `-1` | | Optional. VirtualRouter ASN. | @@ -63,6 +65,7 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Template references +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) - [Virtualhubs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualHubs) - [Virtualhubs/Hubroutetables](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualHubs/hubRouteTables) - [Virtualhubs/Hubvirtualnetworkconnections](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualHubs/hubVirtualNetworkConnections) diff --git a/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep index 5fa4ad424d..9fa6020add 100644 --- a/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/virtualWans/.bicep/nested_rbac.bicep @@ -20,7 +20,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource virtualWan 'Microsoft.Network/virtualWans@2021-03-01' existing = { +resource virtualWan 'Microsoft.Network/virtualWans@2021-05-01' existing = { name: last(split(resourceId, '/')) } diff --git a/arm/Microsoft.Network/virtualWans/.parameters/min.parameters.json b/arm/Microsoft.Network/virtualWans/.parameters/min.parameters.json new file mode 100644 index 0000000000..badddffd7e --- /dev/null +++ b/arm/Microsoft.Network/virtualWans/.parameters/min.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-vw-min-001" + } + } +} diff --git a/arm/Microsoft.Network/virtualWans/.parameters/parameters.json b/arm/Microsoft.Network/virtualWans/.parameters/parameters.json index 56ac0a55bf..325af25252 100644 --- a/arm/Microsoft.Network/virtualWans/.parameters/parameters.json +++ b/arm/Microsoft.Network/virtualWans/.parameters/parameters.json @@ -5,17 +5,17 @@ "name": { "value": "<>-az-vw-x-001" }, - "vpnsiteAddressspaceList": { - "value": [] + "type": { + "value": "Basic" }, - "vpnsitePublicIPAddress": { - "value": "1.2.3.4" + "allowBranchToBranchTraffic": { + "value": true }, - "vpnsiteBgpAsn": { - "value": 65010 + "allowVnetToVnetTraffic": { + "value": true }, - "vpnsiteBgpPeeringAddress": { - "value": "1.1.1.1" + "disableVpnEncryption": { + "value": true }, "roleAssignments": { "value": [ diff --git a/arm/Microsoft.Network/virtualWans/deploy.bicep b/arm/Microsoft.Network/virtualWans/deploy.bicep index 968b410208..0274ec10a8 100644 --- a/arm/Microsoft.Network/virtualWans/deploy.bicep +++ b/arm/Microsoft.Network/virtualWans/deploy.bicep @@ -1,49 +1,24 @@ @description('Optional. Location where all resources will be created.') param location string = resourceGroup().location -@description('Required. Name of the Virtual Wan.') +@description('Required. Name of the Virtual WAN.') param name string -@description('Optional. Sku of the Virtual Wan.') +@description('Optional. The type of the Virtual WAN.') @allowed([ 'Standard' 'Basic' ]) -param virtualWanSku string = 'Standard' +param type string = 'Standard' -@description('Optional. Name of the Virtual Hub. A virtual hub is created inside a virtual wan.') -param virtualHubName string = 'SampleVirtualHub' +@description('Optional. True if branch to branch traffic is allowed.') +param allowBranchToBranchTraffic bool = false -@description('Optional. Name of the Vpn Gateway. A vpn gateway is created inside a virtual hub.') -param vpnGatewayName string = 'SampleVpnGateway' +@description('Optional. True if VNET to VNET traffic is allowed. ') +param allowVnetToVnetTraffic bool = false -@description('Optional. Name of the vpnsite. A vpnsite represents the on-premise vpn device. A public ip address is mandatory for a vpn site creation.') -param vpnSiteName string = 'SampleVpnSite' - -@description('Optional. Name of the vpnconnection. A vpn connection is established between a vpnsite and a vpn gateway.') -param connectionName string = 'SampleVpnsiteVpnGwConnection' - -@description('Optional. A list of static routes corresponding to the vpn site. These are configured on the vpn gateway.') -param vpnsiteAddressspaceList array = [] - -@description('Required. he public IP address of a vpn site.') -param vpnsitePublicIPAddress string - -@description('Required. The bgp asn number of a vpnsite.') -param vpnsiteBgpAsn int - -@description('Required. The bgp peer IP address of a vpnsite.') -param vpnsiteBgpPeeringAddress string - -@description('Optional. The hub address prefix. This address prefix will be used as the address prefix for the hub vnet') -param addressPrefix string = '192.168.0.0/24' - -@description('Optional. his needs to be set to true if BGP needs to enabled on the vpn connection.') -@allowed([ - 'true' - 'false' -]) -param enableBgp string = 'false' +@description('Optional. VPN encryption to be disabled or not.') +param disableVpnEncryption bool = false @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] @@ -67,12 +42,15 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource virtualWan 'Microsoft.Network/virtualWans@2021-03-01' = { +resource virtualWan 'Microsoft.Network/virtualWans@2021-05-01' = { name: name location: location tags: tags properties: { - type: virtualWanSku + allowBranchToBranchTraffic: allowBranchToBranchTraffic + allowVnetToVnetTraffic: allowVnetToVnetTraffic ? allowVnetToVnetTraffic : null + disableVpnEncryption: disableVpnEncryption + type: type } } @@ -85,91 +63,6 @@ resource virtualWan_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock ! scope: virtualWan } -resource virtualHub 'Microsoft.Network/virtualHubs@2021-03-01' = { - name: virtualHubName - location: location - properties: { - addressPrefix: addressPrefix - virtualWan: { - id: virtualWan.id - } - } -} - -resource virtualHub_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${virtualHub.name}-${lock}-lock' - properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: virtualHub -} - -resource vpnSite 'Microsoft.Network/vpnSites@2021-03-01' = { - name: vpnSiteName - location: location - properties: { - addressSpace: { - addressPrefixes: vpnsiteAddressspaceList - } - bgpProperties: { - asn: vpnsiteBgpAsn - bgpPeeringAddress: vpnsiteBgpPeeringAddress - peerWeight: 0 - } - deviceProperties: { - linkSpeedInMbps: 0 - } - ipAddress: vpnsitePublicIPAddress - virtualWan: { - id: virtualWan.id - } - } -} - -resource vpnSite_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${vpnSite.name}-${lock}-lock' - properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: vpnSite -} - -resource vpnGateway 'Microsoft.Network/vpnGateways@2021-03-01' = { - name: vpnGatewayName - location: location - properties: { - connections: [ - { - name: connectionName - properties: { - connectionBandwidth: 10 - enableBgp: any(enableBgp) - remoteVpnSite: { - id: vpnSite.id - } - } - } - ] - virtualHub: { - id: virtualHub.id - } - bgpSettings: { - asn: 65515 - } - } -} - -resource vpnGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${vpnGateway.name}-${lock}-lock' - properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: vpnGateway -} - module virtualWan_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-VWan-Rbac-${index}' params: { diff --git a/arm/Microsoft.Network/virtualWans/readme.md b/arm/Microsoft.Network/virtualWans/readme.md index 24278f39c3..4973b3273d 100644 --- a/arm/Microsoft.Network/virtualWans/readme.md +++ b/arm/Microsoft.Network/virtualWans/readme.md @@ -8,32 +8,22 @@ This template deploys a virtual WAN. | :-- | :-- | | `Microsoft.Authorization/locks` | 2017-04-01 | | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | -| `Microsoft.Network/virtualHubs` | 2021-03-01 | -| `Microsoft.Network/virtualWans` | 2021-03-01 | -| `Microsoft.Network/vpnGateways` | 2021-03-01 | -| `Microsoft.Network/vpnSites` | 2021-03-01 | +| `Microsoft.Network/virtualWans` | 2021-05-01 | ## Parameters | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `addressPrefix` | string | `192.168.0.0/24` | | Optional. The hub address prefix. This address prefix will be used as the address prefix for the hub vnet | -| `connectionName` | string | `SampleVpnsiteVpnGwConnection` | | Optional. Name of the vpnconnection. A vpn connection is established between a vpnsite and a vpn gateway. | +| `allowBranchToBranchTraffic` | bool | `False` | | Optional. True if branch to branch traffic is allowed. | +| `allowVnetToVnetTraffic` | bool | `False` | | Optional. True if VNET to VNET traffic is allowed. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | -| `enableBgp` | string | `false` | `[true, false]` | Optional. his needs to be set to true if BGP needs to enabled on the vpn connection. | +| `disableVpnEncryption` | bool | `False` | | Optional. VPN encryption to be disabled or not. | | `location` | string | `[resourceGroup().location]` | | Optional. Location where all resources will be created. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | -| `name` | string | | | Required. Name of the Virtual Wan. | +| `name` | string | | | Required. Name of the Virtual WAN. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `tags` | object | `{object}` | | Optional. Tags of the resource. | -| `virtualHubName` | string | `SampleVirtualHub` | | Optional. Name of the Virtual Hub. A virtual hub is created inside a virtual wan. | -| `virtualWanSku` | string | `Standard` | `[Standard, Basic]` | Optional. Sku of the Virtual Wan. | -| `vpnGatewayName` | string | `SampleVpnGateway` | | Optional. Name of the Vpn Gateway. A vpn gateway is created inside a virtual hub. | -| `vpnsiteAddressspaceList` | array | `[]` | | Optional. A list of static routes corresponding to the vpn site. These are configured on the vpn gateway. | -| `vpnsiteBgpAsn` | int | | | Required. The bgp asn number of a vpnsite. | -| `vpnsiteBgpPeeringAddress` | string | | | Required. The bgp peer IP address of a vpnsite. | -| `vpnSiteName` | string | `SampleVpnSite` | | Optional. Name of the vpnsite. A vpnsite represents the on-premise vpn device. A public ip address is mandatory for a vpn site creation. | -| `vpnsitePublicIPAddress` | string | | | Required. he public IP address of a vpn site. | +| `type` | string | `Standard` | `[Standard, Basic]` | Optional. The type of the Virtual WAN. | ### Parameter Usage: `roleAssignments` @@ -86,7 +76,4 @@ Tag names and tag values can be provided as needed. A tag can be left without a - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) -- [Virtualhubs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/virtualHubs) -- [Virtualwans](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/virtualWans) -- [Vpngateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/vpnGateways) -- [Vpnsites](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/vpnSites) +- [Virtualwans](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/virtualWans) diff --git a/arm/Microsoft.Network/vpnGateways/deploy.bicep b/arm/Microsoft.Network/vpnGateways/deploy.bicep index 72cdd9a388..c37730bc8e 100644 --- a/arm/Microsoft.Network/vpnGateways/deploy.bicep +++ b/arm/Microsoft.Network/vpnGateways/deploy.bicep @@ -28,6 +28,14 @@ param vpnGatewayScaleUnit int = 2 @description('Optional. Tags of the resource.') param tags object = {} +@allowed([ + 'CanNotDelete' + 'NotSpecified' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = 'NotSpecified' + @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' @@ -51,6 +59,15 @@ resource vpnGateway 'Microsoft.Network/vpnGateways@2021-05-01' = { } } +resource vpnGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${vpnGateway.name}-${lock}-lock' + properties: { + level: lock + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: vpnGateway +} + module vpnGateway_natRules 'natRules/deploy.bicep' = [for (natRule, index) in natRules: { name: '${deployment().name}-NATRule-${index}' params: { diff --git a/arm/Microsoft.Network/vpnGateways/readme.md b/arm/Microsoft.Network/vpnGateways/readme.md index 8b4cabcd31..8f65404f74 100644 --- a/arm/Microsoft.Network/vpnGateways/readme.md +++ b/arm/Microsoft.Network/vpnGateways/readme.md @@ -6,6 +6,7 @@ This module deploys VPN Gateways. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Authorization/locks` | 2017-04-01 | | `Microsoft.Network/vpnGateways` | 2021-05-01 | | `Microsoft.Network/vpnGateways/natRules` | 2021-05-01 | | `Microsoft.Network/vpnGateways/vpnConnections` | 2021-05-01 | @@ -17,9 +18,10 @@ This module deploys VPN Gateways. | `bgpSettings` | object | `{object}` | | Optional. BGP settings details. | | `connections` | _[connections](connections/readme.md)_ array | `[]` | | Optional. The connections to create in the VPN gateway | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | -| `enableBgpRouteTranslationForNat` | bool | `False` | | Optional. Enable BGP routes translation for NAT on this VPNGateway. | -| `isRoutingPreferenceInternet` | bool | `False` | | Optional. Enable Routing Preference property for the Public IP Interface of the VPNGateway. | +| `enableBgpRouteTranslationForNat` | bool | `False` | | Optional. Enable BGP routes translation for NAT on this VPN gateway. | +| `isRoutingPreferenceInternet` | bool | `False` | | Optional. Enable routing preference property for the public IP interface of the VPN gateway. | | `location` | string | `[resourceGroup().location]` | | Optional. Location where all resources will be created. | +| `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `name` | string | | | Required. Name of the VPN gateway | | `natRules` | _[natRules](natRules/readme.md)_ array | `[]` | | Optional. List of all the NAT Rules to associate with the gateway. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | @@ -88,6 +90,7 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Template references +- [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) - [Vpngateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnGateways) - [Vpngateways/Natrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnGateways/natRules) - [Vpngateways/Vpnconnections](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/vpnGateways/vpnConnections)