diff --git a/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml b/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml index 811ce5a076..6f5d0a1cc8 100644 --- a/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml +++ b/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml @@ -45,6 +45,7 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: + - path: $(modulePath)/.parameters/min.parameters.json - path: $(modulePath)/.parameters/parameters.json - stage: Publishing diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json new file mode 100644 index 0000000000..012526cf1f --- /dev/null +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-mls-min-001" + }, + "sku": { + "value": "Basic" + }, + "associatedStorageAccountResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + }, + "associatedKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" + }, + "associatedApplicationInsightsResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<>-az-appi-x-001" + }, + "systemAssignedIdentity": { + "value": true + } + } +} diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 2c1de9a1f6..c6ecc0756d 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -18,13 +18,37 @@ "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<>-az-appi-x-001" }, "systemAssignedIdentity": { - "value": true + "value": false // Must be false if `primaryUserAssignedIdentity` is provided }, "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } }, + "description": { + "value": "The cake is a lie." + }, + "discoveryUrl": { + "value": "http://example.com" + }, + "encryptionIdentity": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, + "encryptionKeyIdentifier": { + "value": "https://adp-carml-az-kv-nopr-002.vault.azure.net/keys/keyEncryptionKey/5263fcde203347baa7cda35d074073b2" // ID must be updated for new keys + }, + "encryptionKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002" + }, + "imageBuildCompute": { + "value": "testcompute" + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "primaryUserAssignedIdentity": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, "computes": { "value": [ { @@ -32,7 +56,7 @@ "location": "westeurope", "computeLocation": "westeurope", "sku": "Basic", - "systemAssignedIdentity": true, + "systemAssignedIdentity": false, "userAssignedIdentities": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} }, @@ -79,6 +103,14 @@ }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "amlworkspace" + } + ] } } } diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 86ba267479..210a03e794 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -1,29 +1,29 @@ // ================ // // Parameters // // ================ // -@description('Required. The name of the machine learning workspace.') +@sys.description('Required. The name of the machine learning workspace.') param name string -@description('Optional. Location for all resources.') +@sys.description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Required. Specifies the sku, also referred as \'edition\' of the Azure Machine Learning workspace.') +@sys.description('Required. Specifies the SKU, also referred as \'edition\' of the Azure Machine Learning workspace.') @allowed([ 'Basic' 'Enterprise' ]) param sku string -@description('Required. The resource ID of the associated Storage Account.') +@sys.description('Required. The resource ID of the associated Storage Account.') param associatedStorageAccountResourceId string -@description('Required. The resource ID of the associated Key Vault.') +@sys.description('Required. The resource ID of the associated Key Vault.') param associatedKeyVaultResourceId string -@description('Required. The resource ID of the associated Application Insights.') +@sys.description('Required. The resource ID of the associated Application Insights.') param associatedApplicationInsightsResourceId string -@description('Optional. The resource ID of the associated Container Registry.') +@sys.description('Optional. The resource ID of the associated Container Registry.') param associatedContainerRegistryResourceId string = '' @allowed([ @@ -31,56 +31,56 @@ param associatedContainerRegistryResourceId string = '' 'NotSpecified' 'ReadOnly' ]) -@description('Optional. Specify the type of lock.') +@sys.description('Optional. Specify the type of lock.') param lock string = 'NotSpecified' -@description('Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service.') +@sys.description('Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service.') param hbiWorkspace bool = false -@description('Optional. The flag to indicate whether to allow public access when behind VNet.') +@sys.description('Optional. The flag to indicate whether to allow public access when behind VNet.') param allowPublicAccessWhenBehindVnet bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] -@description('Optional. Configuration Details for private endpoints.') +@sys.description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] -@description('Optional. Computes to create respectively attach to the workspace.') +@sys.description('Optional. Computes to create respectively attach to the workspace.') param computes array = [] -@description('Optional. Resource tags.') +@sys.description('Optional. Resource tags.') param tags object = {} -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true // Identity -@description('Optional. Enables system assigned managed identity on the resource.') +@sys.description('Conditional. Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided.') param systemAssignedIdentity bool = false -@description('Optional. The ID(s) to assign to the resource.') +@sys.description('Conditional. The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false.') param userAssignedIdentities object = {} // Diagnostic Settings -@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@sys.description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @maxValue(365) param diagnosticLogsRetentionInDays int = 365 -@description('Optional. Resource ID of the diagnostic storage account.') +@sys.description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' -@description('Optional. Resource ID of the diagnostic log analytics workspace.') +@sys.description('Optional. Resource ID of the diagnostic log analytics workspace.') param diagnosticWorkspaceId string = '' -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +@sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') param diagnosticEventHubAuthorizationRuleId string = '' -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +@sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@description('Optional. The name of logs that will be streamed.') +@sys.description('Optional. The name of logs that will be streamed.') @allowed([ 'AmlComputeClusterEvent' 'AmlComputeClusterNodeEvent' @@ -96,7 +96,7 @@ param diagnosticLogCategoriesToEnable array = [ 'AmlRunStatusChangedEvent' ] -@description('Optional. The name of metrics that will be streamed.') +@sys.description('Optional. The name of metrics that will be streamed.') @allowed([ 'AllMetrics' ]) @@ -104,9 +104,37 @@ param diagnosticMetricsToEnable array = [ 'AllMetrics' ] -@description('Optional. The name of the diagnostic setting, if deployed.') +@sys.description('Optional. The name of the diagnostic setting, if deployed.') param diagnosticSettingsName string = '${name}-diagnosticSettings' +@sys.description('Optional. The description of this workspace.') +param description string = '' + +@sys.description('Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services.') +param discoveryUrl string = '' + +@sys.description('Optional. The Resource ID of the user assigned identity that will be used to access the customer managed key vault.') +param encryptionIdentity string = '' + +@sys.description('Conditional. Key vault URI to access the encryption key. Required if an \'encryptionIdentity\' was provided.') +param encryptionKeyIdentifier string = '' + +@sys.description('Conditional. The ResourceID of the keyVault where the customer owned encryption key is present. Required if an \'encryptionIdentity\' was provided.') +param encryptionKeyVaultResourceId string = '' + +@sys.description('Optional. The compute name for image build.') +param imageBuildCompute string = '' + +@sys.description('Conditional. The user assigned identity resource id that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty and may not be used if \'systemAssignedIdentity\' is enabled.') +param primaryUserAssignedIdentity string = '' + +@sys.description('Optional. Whether requests from Public Network are allowed.') +@allowed([ + 'Enabled' + 'Disabled' +]) +param publicNetworkAccess string = 'Disabled' + // ================// // Variables // // ================// @@ -151,7 +179,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-04-01' = { +resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { name: name location: location tags: tags @@ -165,9 +193,23 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-04-01' = { storageAccount: associatedStorageAccountResourceId keyVault: associatedKeyVaultResourceId applicationInsights: associatedApplicationInsightsResourceId - containerRegistry: ((!(associatedContainerRegistryResourceId == '')) ? associatedContainerRegistryResourceId : null) + containerRegistry: !empty(associatedContainerRegistryResourceId) ? associatedContainerRegistryResourceId : null hbiWorkspace: hbiWorkspace allowPublicAccessWhenBehindVnet: allowPublicAccessWhenBehindVnet + description: description + discoveryUrl: discoveryUrl + encryption: any({ + identity: !empty(encryptionIdentity) ? { + userAssignedIdentity: encryptionIdentity + } : null + keyVaultProperties: !empty(encryptionIdentity) ? { + keyIdentifier: encryptionKeyIdentifier + keyVaultArmId: encryptionKeyVaultResourceId + } : null + }) + imageBuildCompute: imageBuildCompute + primaryUserAssignedIdentity: primaryUserAssignedIdentity + publicNetworkAccess: publicNetworkAccess } } @@ -237,14 +279,14 @@ module workspace_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) // ================// // Outputs // // ================// -@description('The resource ID of the machine learning service') +@sys.description('The resource ID of the machine learning service') output resourceId string = workspace.id -@description('The resource group the machine learning service was deployed into') +@sys.description('The resource group the machine learning service was deployed into') output resourceGroupName string = resourceGroup().name -@description('The name of the machine learning service') +@sys.description('The name of the machine learning service') output name string = workspace.name -@description('The principal ID of the system assigned identity.') +@sys.description('The principal ID of the system assigned identity.') output principalId string = (!empty(identity) && contains(identity.type, 'SystemAssigned')) ? workspace.identity.principalId : '' diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index cabe4c5e0f..1a9a149c50 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -15,7 +15,7 @@ This module deploys a Machine Learning Services Workspace. | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.MachineLearningServices/workspaces` | [2021-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2021-04-01/workspaces) | +| `Microsoft.MachineLearningServices/workspaces` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2021-07-01/workspaces) | | `Microsoft.MachineLearningServices/workspaces/computes` | [2022-01-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2022-01-01-preview/workspaces/computes) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | @@ -29,7 +29,16 @@ This module deploys a Machine Learning Services Workspace. | `associatedKeyVaultResourceId` | string | | The resource ID of the associated Key Vault. | | `associatedStorageAccountResourceId` | string | | The resource ID of the associated Storage Account. | | `name` | string | | The name of the machine learning workspace. | -| `sku` | string | `[Basic, Enterprise]` | Specifies the sku, also referred as 'edition' of the Azure Machine Learning workspace. | +| `sku` | string | `[Basic, Enterprise]` | Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. | + +**Conditional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `encryptionKeyIdentifier` | string | `''` | Key vault URI to access the encryption key. Required if an 'encryptionIdentity' was provided. | +| `encryptionKeyVaultResourceId` | string | `''` | The ResourceID of the keyVault where the customer owned encryption key is present. Required if an 'encryptionIdentity' was provided. | +| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | +| `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. | +| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | @@ -37,6 +46,7 @@ This module deploys a Machine Learning Services Workspace. | `allowPublicAccessWhenBehindVnet` | bool | `False` | | The flag to indicate whether to allow public access when behind VNet. | | `associatedContainerRegistryResourceId` | string | `''` | | The resource ID of the associated Container Registry. | | `computes` | _[computes](computes/readme.md)_ array | `[]` | | Computes to create respectively attach to the workspace. | +| `description` | string | `''` | | The description of this workspace. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[AmlComputeClusterEvent, AmlComputeClusterNodeEvent, AmlComputeJobEvent, AmlComputeCpuGpuUtilization, AmlRunStatusChangedEvent]` | `[AmlComputeClusterEvent, AmlComputeClusterNodeEvent, AmlComputeJobEvent, AmlComputeCpuGpuUtilization, AmlRunStatusChangedEvent]` | The name of logs that will be streamed. | @@ -45,15 +55,17 @@ This module deploys a Machine Learning Services Workspace. | `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. | | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | +| `discoveryUrl` | string | `''` | | URL for the discovery service to identify regional endpoints for machine learning experimentation services. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `encryptionIdentity` | string | `''` | | The Resource ID of the user assigned identity that will be used to access the customer managed key vault. | | `hbiWorkspace` | bool | `False` | | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | +| `imageBuildCompute` | string | `''` | | The compute name for image build. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | +| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether requests from Public Network are allowed. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Resource tags. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | ### Parameter Usage: `computes` diff --git a/arm/Microsoft.Sql/managedInstances/deploy.bicep b/arm/Microsoft.Sql/managedInstances/deploy.bicep index 2e77e82d70..44cb5fcdda 100644 --- a/arm/Microsoft.Sql/managedInstances/deploy.bicep +++ b/arm/Microsoft.Sql/managedInstances/deploy.bicep @@ -122,7 +122,7 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@description('Optional. Mandatory if "managedServiceIdentity" contains UserAssigned. The resource ID of a user assigned identity to be used by default.') +@description('Conditional. Required if "userAssignedIdentities" is not empty. The resource ID of a user assigned identity to be used by default.') param primaryUserAssignedIdentityId string = '' @description('Optional. Databases to create in this server.') diff --git a/arm/Microsoft.Sql/managedInstances/readme.md b/arm/Microsoft.Sql/managedInstances/readme.md index 5ef3654dd6..72216fd4bb 100644 --- a/arm/Microsoft.Sql/managedInstances/readme.md +++ b/arm/Microsoft.Sql/managedInstances/readme.md @@ -47,6 +47,11 @@ SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://docs.m | `name` | string | The name of the SQL managed instance. | | `subnetId` | string | The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. | +**Conditional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `primaryUserAssignedIdentityId` | string | `''` | Required if "userAssignedIdentities" is not empty. The resource ID of a user assigned identity to be used by default. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | @@ -71,7 +76,6 @@ SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://docs.m | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `managedInstanceCreateMode` | string | `'Default'` | `[Default, PointInTimeRestore]` | Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | -| `primaryUserAssignedIdentityId` | string | `''` | | Mandatory if "managedServiceIdentity" contains UserAssigned. The resource ID of a user assigned identity to be used by default. | | `proxyOverride` | string | `'Proxy'` | `[Proxy, Redirect, Default]` | Connection type used for connecting to the instance. | | `publicDataEndpointEnabled` | bool | `False` | | Whether or not the public data endpoint is enabled. | | `requestedBackupStorageRedundancy` | string | `'Geo'` | `[Geo, GeoZone, Local, Zone]` | The storage account type used to store backups for this database. |