From cd5394440c4b7fd870980be58cd2ae0a73d20b8f Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 14:25:03 +0200 Subject: [PATCH 01/27] Update ML workspace API + capabilities --- .../workspaces/.parameters/parameters.json | 27 +++++ .../workspaces/deploy.bicep | 108 +++++++++++++----- .../workspaces/readme.md | 14 ++- .../managedInstances/deploy.bicep | 2 +- arm/Microsoft.Sql/managedInstances/readme.md | 6 +- 5 files changed, 123 insertions(+), 34 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 2c1de9a1f6..24ae4fa064 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -25,6 +25,33 @@ "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } }, + "description": { + "value": "The cake is a lie." + }, + "discoveryUrl": { + "value": "http://example.com" + }, + "encryptionIdentity": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, + "encryptionKeyIdentifier": { + "value": "https://adp-carml-az-kv-nopr-002.vault.azure.net/keys/keyEncryptionKey/5263fcde203347baa7cda35d074073b2" // ID must be updated for new keys + }, + "encryptionKeyVaultResourceId": { + "value": "/subscriptions/a7439831-1cd9-435d-a091-4aa863c96556/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002" + }, + "imageBuildCompute": { + "value": "testcompute" + }, + "publicNetworkAccess": { + "value": true + }, + "sharedPrivateLinkResources": { + "value": [] + }, + "primaryUserAssignedIdentity": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, "computes": { "value": [ { diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 86ba267479..b462e823d9 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -1,29 +1,29 @@ // ================ // // Parameters // // ================ // -@description('Required. The name of the machine learning workspace.') +@sys.description('Required. The name of the machine learning workspace.') param name string -@description('Optional. Location for all resources.') +@sys.description('Optional. Location for all resources.') param location string = resourceGroup().location -@description('Required. Specifies the sku, also referred as \'edition\' of the Azure Machine Learning workspace.') +@sys.description('Required. Specifies the sku, also referred as \'edition\' of the Azure Machine Learning workspace.') @allowed([ 'Basic' 'Enterprise' ]) param sku string -@description('Required. The resource ID of the associated Storage Account.') +@sys.description('Required. The resource ID of the associated Storage Account.') param associatedStorageAccountResourceId string -@description('Required. The resource ID of the associated Key Vault.') +@sys.description('Required. The resource ID of the associated Key Vault.') param associatedKeyVaultResourceId string -@description('Required. The resource ID of the associated Application Insights.') +@sys.description('Required. The resource ID of the associated Application Insights.') param associatedApplicationInsightsResourceId string -@description('Optional. The resource ID of the associated Container Registry.') +@sys.description('Optional. The resource ID of the associated Container Registry.') param associatedContainerRegistryResourceId string = '' @allowed([ @@ -31,56 +31,56 @@ param associatedContainerRegistryResourceId string = '' 'NotSpecified' 'ReadOnly' ]) -@description('Optional. Specify the type of lock.') +@sys.description('Optional. Specify the type of lock.') param lock string = 'NotSpecified' -@description('Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service.') +@sys.description('Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service.') param hbiWorkspace bool = false -@description('Optional. The flag to indicate whether to allow public access when behind VNet.') +@sys.description('Optional. The flag to indicate whether to allow public access when behind VNet.') param allowPublicAccessWhenBehindVnet bool = false -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@sys.description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] -@description('Optional. Configuration Details for private endpoints.') +@sys.description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] -@description('Optional. Computes to create respectively attach to the workspace.') +@sys.description('Optional. Computes to create respectively attach to the workspace.') param computes array = [] -@description('Optional. Resource tags.') +@sys.description('Optional. Resource tags.') param tags object = {} -@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true // Identity -@description('Optional. Enables system assigned managed identity on the resource.') +@sys.description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false -@description('Optional. The ID(s) to assign to the resource.') +@sys.description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} // Diagnostic Settings -@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@sys.description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @maxValue(365) param diagnosticLogsRetentionInDays int = 365 -@description('Optional. Resource ID of the diagnostic storage account.') +@sys.description('Optional. Resource ID of the diagnostic storage account.') param diagnosticStorageAccountId string = '' -@description('Optional. Resource ID of the diagnostic log analytics workspace.') +@sys.description('Optional. Resource ID of the diagnostic log analytics workspace.') param diagnosticWorkspaceId string = '' -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +@sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') param diagnosticEventHubAuthorizationRuleId string = '' -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +@sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@description('Optional. The name of logs that will be streamed.') +@sys.description('Optional. The name of logs that will be streamed.') @allowed([ 'AmlComputeClusterEvent' 'AmlComputeClusterNodeEvent' @@ -96,7 +96,7 @@ param diagnosticLogCategoriesToEnable array = [ 'AmlRunStatusChangedEvent' ] -@description('Optional. The name of metrics that will be streamed.') +@sys.description('Optional. The name of metrics that will be streamed.') @allowed([ 'AllMetrics' ]) @@ -104,9 +104,40 @@ param diagnosticMetricsToEnable array = [ 'AllMetrics' ] -@description('Optional. The name of the diagnostic setting, if deployed.') +@sys.description('Optional. The name of the diagnostic setting, if deployed.') param diagnosticSettingsName string = '${name}-diagnosticSettings' +@sys.description('Optional. The description of this workspace.') +param description string = '' + +@sys.description('Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services.') +param discoveryUrl string = '' + +@sys.description('Optional. The Resource ID of the user assigned identity that will be used to access the customer managed key vault.') +param encryptionIdentity string + +@sys.description('Conditional. Key vault uri to access the encryption key. Required if an \'encryptionIdentity\' was provided.') +param encryptionKeyIdentifier string + +@sys.description('Conditional. The ResourceID of the keyVault where the customer owned encryption key is present. Required if an \'encryptionIdentity\' was provided.') +param encryptionKeyVaultResourceId string + +@sys.description('Optional. The compute name for image build.') +param imageBuildCompute string = '' + +@sys.description('Conditional. The user assigned identity resource id that represents the workspace identity. Requried if \'userAssignedIdentities\' is not empty.') +param primaryUserAssignedIdentity string = '' + +@sys.description('Optional. Whether requests from Public Network are allowed.') +@allowed([ + 'Enabled' + 'Disabled' +]) +param publicNetworkAccess string = 'Disabled' + +@sys.description('Optional. The list of shared private link resources in this workspace.') +param sharedPrivateLinkResources array = [] + // ================// // Variables // // ================// @@ -151,7 +182,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-04-01' = { +resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { name: name location: location tags: tags @@ -165,9 +196,24 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-04-01' = { storageAccount: associatedStorageAccountResourceId keyVault: associatedKeyVaultResourceId applicationInsights: associatedApplicationInsightsResourceId - containerRegistry: ((!(associatedContainerRegistryResourceId == '')) ? associatedContainerRegistryResourceId : null) + containerRegistry: !empty(associatedContainerRegistryResourceId) ? associatedContainerRegistryResourceId : null hbiWorkspace: hbiWorkspace allowPublicAccessWhenBehindVnet: allowPublicAccessWhenBehindVnet + description: description + discoveryUrl: discoveryUrl + encryption: any({ + identity: empty(encryptionIdentity) ? { + userAssignedIdentity: encryptionIdentity + } : null + keyVaultProperties: empty(encryptionIdentity) ? { + keyIdentifier: encryptionKeyIdentifier + keyVaultArmId: encryptionKeyVaultResourceId + } : null + }) + imageBuildCompute: imageBuildCompute + primaryUserAssignedIdentity: primaryUserAssignedIdentity + publicNetworkAccess: publicNetworkAccess + sharedPrivateLinkResources: sharedPrivateLinkResources } } @@ -237,14 +283,14 @@ module workspace_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) // ================// // Outputs // // ================// -@description('The resource ID of the machine learning service') +@sys.description('The resource ID of the machine learning service') output resourceId string = workspace.id -@description('The resource group the machine learning service was deployed into') +@sys.description('The resource group the machine learning service was deployed into') output resourceGroupName string = resourceGroup().name -@description('The name of the machine learning service') +@sys.description('The name of the machine learning service') output name string = workspace.name -@description('The principal ID of the system assigned identity.') +@sys.description('The principal ID of the system assigned identity.') output principalId string = (!empty(identity) && contains(identity.type, 'SystemAssigned')) ? workspace.identity.principalId : '' diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index cabe4c5e0f..2e4a6a6d33 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -15,7 +15,7 @@ This module deploys a Machine Learning Services Workspace. | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2021-04-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.MachineLearningServices/workspaces` | [2021-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2021-04-01/workspaces) | +| `Microsoft.MachineLearningServices/workspaces` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2021-07-01/workspaces) | | `Microsoft.MachineLearningServices/workspaces/computes` | [2022-01-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2022-01-01-preview/workspaces/computes) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | @@ -31,12 +31,19 @@ This module deploys a Machine Learning Services Workspace. | `name` | string | | The name of the machine learning workspace. | | `sku` | string | `[Basic, Enterprise]` | Specifies the sku, also referred as 'edition' of the Azure Machine Learning workspace. | +**Conditional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `encryptionKeyVaultResourceId` | string | | The ResourceID of the keyVault where the customer owned encryption key is present. Required if an 'encryptionIdentity' was provided. | +| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Requried if 'userAssignedIdentities' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `allowPublicAccessWhenBehindVnet` | bool | `False` | | The flag to indicate whether to allow public access when behind VNet. | | `associatedContainerRegistryResourceId` | string | `''` | | The resource ID of the associated Container Registry. | | `computes` | _[computes](computes/readme.md)_ array | `[]` | | Computes to create respectively attach to the workspace. | +| `description` | string | `''` | | The description of this workspace. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `diagnosticLogCategoriesToEnable` | array | `[AmlComputeClusterEvent, AmlComputeClusterNodeEvent, AmlComputeJobEvent, AmlComputeCpuGpuUtilization, AmlRunStatusChangedEvent]` | `[AmlComputeClusterEvent, AmlComputeClusterNodeEvent, AmlComputeJobEvent, AmlComputeCpuGpuUtilization, AmlRunStatusChangedEvent]` | The name of logs that will be streamed. | @@ -45,12 +52,17 @@ This module deploys a Machine Learning Services Workspace. | `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. | | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | +| `discoveryUrl` | string | `''` | | URL for the discovery service to identify regional endpoints for machine learning experimentation services. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `encryptionIdentity` | string | | | The Resource ID of the user assigned identity that will be used to access the customer managed key vault. | | `hbiWorkspace` | bool | `False` | | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | +| `imageBuildCompute` | string | `''` | | The compute name for image build. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | +| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether requests from Public Network are allowed. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `sharedPrivateLinkResources` | array | `[]` | | The list of shared private link resources in this workspace. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Resource tags. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | diff --git a/arm/Microsoft.Sql/managedInstances/deploy.bicep b/arm/Microsoft.Sql/managedInstances/deploy.bicep index 2e77e82d70..943a7cdec7 100644 --- a/arm/Microsoft.Sql/managedInstances/deploy.bicep +++ b/arm/Microsoft.Sql/managedInstances/deploy.bicep @@ -122,7 +122,7 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@description('Optional. Mandatory if "managedServiceIdentity" contains UserAssigned. The resource ID of a user assigned identity to be used by default.') +@description('Conditional. Requried if "userAssignedIdentities" is not empty. The resource ID of a user assigned identity to be used by default.') param primaryUserAssignedIdentityId string = '' @description('Optional. Databases to create in this server.') diff --git a/arm/Microsoft.Sql/managedInstances/readme.md b/arm/Microsoft.Sql/managedInstances/readme.md index 5ef3654dd6..c46f5df5ac 100644 --- a/arm/Microsoft.Sql/managedInstances/readme.md +++ b/arm/Microsoft.Sql/managedInstances/readme.md @@ -47,6 +47,11 @@ SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://docs.m | `name` | string | The name of the SQL managed instance. | | `subnetId` | string | The fully qualified resource ID of the subnet on which the SQL managed instance will be placed. | +**Conditional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `primaryUserAssignedIdentityId` | string | `''` | Requried if "userAssignedIdentities" is not empty. The resource ID of a user assigned identity to be used by default. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | @@ -71,7 +76,6 @@ SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://docs.m | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `managedInstanceCreateMode` | string | `'Default'` | `[Default, PointInTimeRestore]` | Specifies the mode of database creation. Default: Regular instance creation. Restore: Creates an instance by restoring a set of backups to specific point in time. RestorePointInTime and SourceManagedInstanceId must be specified. | -| `primaryUserAssignedIdentityId` | string | `''` | | Mandatory if "managedServiceIdentity" contains UserAssigned. The resource ID of a user assigned identity to be used by default. | | `proxyOverride` | string | `'Proxy'` | `[Proxy, Redirect, Default]` | Connection type used for connecting to the instance. | | `publicDataEndpointEnabled` | bool | `False` | | Whether or not the public data endpoint is enabled. | | `requestedBackupStorageRedundancy` | string | `'Geo'` | `[Geo, GeoZone, Local, Zone]` | The storage account type used to store backups for this database. | From 189ec030f783ac09c99628625444c03ee14d0a68 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 15:46:37 +0200 Subject: [PATCH 02/27] Minor fixes --- .../workspaces/.parameters/parameters.json | 2 +- arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep | 4 ++-- arm/Microsoft.MachineLearningServices/workspaces/readme.md | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 24ae4fa064..59be758dad 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -38,7 +38,7 @@ "value": "https://adp-carml-az-kv-nopr-002.vault.azure.net/keys/keyEncryptionKey/5263fcde203347baa7cda35d074073b2" // ID must be updated for new keys }, "encryptionKeyVaultResourceId": { - "value": "/subscriptions/a7439831-1cd9-435d-a091-4aa863c96556/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002" + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-carml-az-kv-nopr-002" }, "imageBuildCompute": { "value": "testcompute" diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index b462e823d9..0e813aa240 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -7,7 +7,7 @@ param name string @sys.description('Optional. Location for all resources.') param location string = resourceGroup().location -@sys.description('Required. Specifies the sku, also referred as \'edition\' of the Azure Machine Learning workspace.') +@sys.description('Required. Specifies the SKU, also referred as \'edition\' of the Azure Machine Learning workspace.') @allowed([ 'Basic' 'Enterprise' @@ -116,7 +116,7 @@ param discoveryUrl string = '' @sys.description('Optional. The Resource ID of the user assigned identity that will be used to access the customer managed key vault.') param encryptionIdentity string -@sys.description('Conditional. Key vault uri to access the encryption key. Required if an \'encryptionIdentity\' was provided.') +@sys.description('Conditional. Key vault uri to access the encryption key. Required if an \'encryptionIdentity\' was provided.') param encryptionKeyIdentifier string @sys.description('Conditional. The ResourceID of the keyVault where the customer owned encryption key is present. Required if an \'encryptionIdentity\' was provided.') diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index 2e4a6a6d33..16ca933910 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -29,13 +29,13 @@ This module deploys a Machine Learning Services Workspace. | `associatedKeyVaultResourceId` | string | | The resource ID of the associated Key Vault. | | `associatedStorageAccountResourceId` | string | | The resource ID of the associated Storage Account. | | `name` | string | | The name of the machine learning workspace. | -| `sku` | string | `[Basic, Enterprise]` | Specifies the sku, also referred as 'edition' of the Azure Machine Learning workspace. | +| `sku` | string | `[Basic, Enterprise]` | Specifies the SKU, also referred as 'edition' of the Azure Machine Learning workspace. | **Conditional parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `encryptionKeyVaultResourceId` | string | | The ResourceID of the keyVault where the customer owned encryption key is present. Required if an 'encryptionIdentity' was provided. | -| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Requried if 'userAssignedIdentities' is not empty. | +| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | From 487ed7e60d6244b41153a03aa00d9b8c43a6a7fb Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 16:13:48 +0200 Subject: [PATCH 03/27] Fixed test + fixed typo --- arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep | 2 +- arm/Microsoft.MachineLearningServices/workspaces/readme.md | 1 + arm/Microsoft.Sql/managedInstances/deploy.bicep | 2 +- arm/Microsoft.Sql/managedInstances/readme.md | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 0e813aa240..cda25b49ab 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -125,7 +125,7 @@ param encryptionKeyVaultResourceId string @sys.description('Optional. The compute name for image build.') param imageBuildCompute string = '' -@sys.description('Conditional. The user assigned identity resource id that represents the workspace identity. Requried if \'userAssignedIdentities\' is not empty.') +@sys.description('Conditional. The user assigned identity resource id that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty.') param primaryUserAssignedIdentity string = '' @sys.description('Optional. Whether requests from Public Network are allowed.') diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index 16ca933910..45c6a69518 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -34,6 +34,7 @@ This module deploys a Machine Learning Services Workspace. **Conditional parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `encryptionKeyIdentifier` | string | | Key vault uri to access the encryption key. Required if an 'encryptionIdentity' was provided. | | `encryptionKeyVaultResourceId` | string | | The ResourceID of the keyVault where the customer owned encryption key is present. Required if an 'encryptionIdentity' was provided. | | `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty. | diff --git a/arm/Microsoft.Sql/managedInstances/deploy.bicep b/arm/Microsoft.Sql/managedInstances/deploy.bicep index 943a7cdec7..44cb5fcdda 100644 --- a/arm/Microsoft.Sql/managedInstances/deploy.bicep +++ b/arm/Microsoft.Sql/managedInstances/deploy.bicep @@ -122,7 +122,7 @@ param systemAssignedIdentity bool = false @description('Optional. The ID(s) to assign to the resource.') param userAssignedIdentities object = {} -@description('Conditional. Requried if "userAssignedIdentities" is not empty. The resource ID of a user assigned identity to be used by default.') +@description('Conditional. Required if "userAssignedIdentities" is not empty. The resource ID of a user assigned identity to be used by default.') param primaryUserAssignedIdentityId string = '' @description('Optional. Databases to create in this server.') diff --git a/arm/Microsoft.Sql/managedInstances/readme.md b/arm/Microsoft.Sql/managedInstances/readme.md index c46f5df5ac..72216fd4bb 100644 --- a/arm/Microsoft.Sql/managedInstances/readme.md +++ b/arm/Microsoft.Sql/managedInstances/readme.md @@ -50,7 +50,7 @@ SQL MI allows for Azure AD Authentication via an [Azure AD Admin](https://docs.m **Conditional parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | -| `primaryUserAssignedIdentityId` | string | `''` | Requried if "userAssignedIdentities" is not empty. The resource ID of a user assigned identity to be used by default. | +| `primaryUserAssignedIdentityId` | string | `''` | Required if "userAssignedIdentities" is not empty. The resource ID of a user assigned identity to be used by default. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | From baa7d2b462616eefada346136dd5706b3c04b403 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 17:36:44 +0200 Subject: [PATCH 04/27] Update to latest --- .../workspaces/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 59be758dad..b0809e8eec 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -44,7 +44,7 @@ "value": "testcompute" }, "publicNetworkAccess": { - "value": true + "value": "Enabled" }, "sharedPrivateLinkResources": { "value": [] From 43b1e85da8cb57e793c6f2b35d8e2ef5c3f2d896 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 17:38:03 +0200 Subject: [PATCH 05/27] Added min --- .../.parameters/min.parameters.json | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json new file mode 100644 index 0000000000..f50f1d2ee3 --- /dev/null +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-mls-x-001" + }, + "sku": { + "value": "Basic" + }, + "associatedStorageAccountResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + }, + "associatedKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" + }, + "associatedApplicationInsightsResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<>-az-appi-x-001" + } + } +} From d6d4d5c39bdd504cb6581fd03e5729cb5b724019 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 17:43:56 +0200 Subject: [PATCH 06/27] Update to latest --- .../workspaces/deploy.bicep | 8 ++++---- .../workspaces/readme.md | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index cda25b49ab..43d5a07cdf 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -114,13 +114,13 @@ param description string = '' param discoveryUrl string = '' @sys.description('Optional. The Resource ID of the user assigned identity that will be used to access the customer managed key vault.') -param encryptionIdentity string +param encryptionIdentity string = '' -@sys.description('Conditional. Key vault uri to access the encryption key. Required if an \'encryptionIdentity\' was provided.') -param encryptionKeyIdentifier string +@sys.description('Conditional. Key vault URI to access the encryption key. Required if an \'encryptionIdentity\' was provided.') +param encryptionKeyIdentifier string = '' @sys.description('Conditional. The ResourceID of the keyVault where the customer owned encryption key is present. Required if an \'encryptionIdentity\' was provided.') -param encryptionKeyVaultResourceId string +param encryptionKeyVaultResourceId string = '' @sys.description('Optional. The compute name for image build.') param imageBuildCompute string = '' diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index 45c6a69518..d010ad430a 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -34,8 +34,8 @@ This module deploys a Machine Learning Services Workspace. **Conditional parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | -| `encryptionKeyIdentifier` | string | | Key vault uri to access the encryption key. Required if an 'encryptionIdentity' was provided. | -| `encryptionKeyVaultResourceId` | string | | The ResourceID of the keyVault where the customer owned encryption key is present. Required if an 'encryptionIdentity' was provided. | +| `encryptionKeyIdentifier` | string | `''` | Key vault URI to access the encryption key. Required if an 'encryptionIdentity' was provided. | +| `encryptionKeyVaultResourceId` | string | `''` | The ResourceID of the keyVault where the customer owned encryption key is present. Required if an 'encryptionIdentity' was provided. | | `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty. | **Optional parameters** @@ -55,7 +55,7 @@ This module deploys a Machine Learning Services Workspace. | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `discoveryUrl` | string | `''` | | URL for the discovery service to identify regional endpoints for machine learning experimentation services. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `encryptionIdentity` | string | | | The Resource ID of the user assigned identity that will be used to access the customer managed key vault. | +| `encryptionIdentity` | string | `''` | | The Resource ID of the user assigned identity that will be used to access the customer managed key vault. | | `hbiWorkspace` | bool | `False` | | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service. | | `imageBuildCompute` | string | `''` | | The compute name for image build. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | From b40ad8cf0bfb1c375c1590da72e0a3f9aa6d9c59 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 17:48:38 +0200 Subject: [PATCH 07/27] Update to latest --- .../workspaces/.parameters/min.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json index f50f1d2ee3..ce2af0d8a0 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-mls-x-001" + "value": "<>-az-mls-min-001" }, "sku": { "value": "Basic" From 260c037d7d65defb56f10680458d48b7f809bf0d Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 21:59:30 +0200 Subject: [PATCH 08/27] Small fix --- arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 43d5a07cdf..c4f2655e37 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -202,10 +202,10 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { description: description discoveryUrl: discoveryUrl encryption: any({ - identity: empty(encryptionIdentity) ? { + identity: !empty(encryptionIdentity) ? { userAssignedIdentity: encryptionIdentity } : null - keyVaultProperties: empty(encryptionIdentity) ? { + keyVaultProperties: !empty(encryptionIdentity) ? { keyIdentifier: encryptionKeyIdentifier keyVaultArmId: encryptionKeyVaultResourceId } : null From 9726dc99233b7c644075d9710ed4630cc106600d Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 22:01:55 +0200 Subject: [PATCH 09/27] Update to latest --- .../workspaces/.parameters/parameters.json | 2 +- arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep | 2 +- arm/Microsoft.MachineLearningServices/workspaces/readme.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index b0809e8eec..581ac8e62d 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -18,7 +18,7 @@ "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<>-az-appi-x-001" }, "systemAssignedIdentity": { - "value": true + "value": false // Must be false if `primaryUserAssignedIdentity` is provided }, "userAssignedIdentities": { "value": { diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index c4f2655e37..77fd34e9e0 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -125,7 +125,7 @@ param encryptionKeyVaultResourceId string = '' @sys.description('Optional. The compute name for image build.') param imageBuildCompute string = '' -@sys.description('Conditional. The user assigned identity resource id that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty.') +@sys.description('Conditional. The user assigned identity resource id that represents the workspace identity. Required if \'userAssignedIdentities\' is not empty and may not be used if \'systemAssignedIdentity\' is enabled.') param primaryUserAssignedIdentity string = '' @sys.description('Optional. Whether requests from Public Network are allowed.') diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index d010ad430a..6b8f7e8e3f 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -36,7 +36,7 @@ This module deploys a Machine Learning Services Workspace. | :-- | :-- | :-- | :-- | | `encryptionKeyIdentifier` | string | `''` | Key vault URI to access the encryption key. Required if an 'encryptionIdentity' was provided. | | `encryptionKeyVaultResourceId` | string | `''` | The ResourceID of the keyVault where the customer owned encryption key is present. Required if an 'encryptionIdentity' was provided. | -| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty. | +| `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | From 14460014c5498a8cc11c8e0ce27dfff309aff70e Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 22:22:33 +0200 Subject: [PATCH 10/27] Enabled system assigned for min --- .../workspaces/.parameters/min.parameters.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json index ce2af0d8a0..012526cf1f 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json @@ -16,6 +16,9 @@ }, "associatedApplicationInsightsResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<>-az-appi-x-001" + }, + "systemAssignedIdentity": { + "value": true } } } From 37f446da4e01cfe2098e3b951abd630c71a4ec19 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Mon, 2 May 2022 22:29:56 +0200 Subject: [PATCH 11/27] Update to latest --- .../workspaces/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 581ac8e62d..b2dee78181 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -59,7 +59,7 @@ "location": "westeurope", "computeLocation": "westeurope", "sku": "Basic", - "systemAssignedIdentity": true, + "systemAssignedIdentity": false, "userAssignedIdentities": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} }, From f6858a1ac5b4c45d8b5528aa1359c253f491d202 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 11:23:33 +0200 Subject: [PATCH 12/27] Added private endpoint to test --- .../workspaces/.parameters/parameters.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index b2dee78181..ef5eb2c705 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -106,6 +106,14 @@ }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "amlworkspace" + } + ] } } } From 07914919dd8cc0bda42cee31390ce3cbba453359 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 12:58:30 +0200 Subject: [PATCH 13/27] Update to latest --- .../workspaces/.parameters/parameters.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index ef5eb2c705..a896a96ee5 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -110,10 +110,22 @@ "privateEndpoints": { "value": [ { + "name": "testLink", "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", "service": "amlworkspace" } ] + }, + "sharedPrivateLinkResources ": { + "value": [ + { + "name": "testLink", + "properties": { + "privateLinkResourceId": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/workspace-1234/providers/Microsoft.DocumentDB/databaseAccounts/testcosmosdbresource/privateLinkResources/Sql", + "groupId": "Sql" + } + } + ] } } } From a52ce4009af2d95d441f9e153234548f643d28ce Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 13:02:36 +0200 Subject: [PATCH 14/27] Update to latest --- .../workspaces/.parameters/parameters.json | 11 ----------- .../workspaces/deploy.bicep | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index a896a96ee5..24cfb892f8 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -115,17 +115,6 @@ "service": "amlworkspace" } ] - }, - "sharedPrivateLinkResources ": { - "value": [ - { - "name": "testLink", - "properties": { - "privateLinkResourceId": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/workspace-1234/providers/Microsoft.DocumentDB/databaseAccounts/testcosmosdbresource/privateLinkResources/Sql", - "groupId": "Sql" - } - } - ] } } } diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 77fd34e9e0..0b546da670 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -213,7 +213,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { imageBuildCompute: imageBuildCompute primaryUserAssignedIdentity: primaryUserAssignedIdentity publicNetworkAccess: publicNetworkAccess - sharedPrivateLinkResources: sharedPrivateLinkResources + sharedPrivateLinkResources: !empty(sharedPrivateLinkResources) ? sharedPrivateLinkResources : null } } From 9be3a644e664c12e05140c8c56e8cfce966be465 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 13:38:05 +0200 Subject: [PATCH 15/27] Changed formatting of shared --- .../workspaces/deploy.bicep | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 0b546da670..12d640545f 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -191,7 +191,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { tier: sku } identity: identity - properties: { + properties: union({ friendlyName: name storageAccount: associatedStorageAccountResourceId keyVault: associatedKeyVaultResourceId @@ -213,8 +213,10 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { imageBuildCompute: imageBuildCompute primaryUserAssignedIdentity: primaryUserAssignedIdentity publicNetworkAccess: publicNetworkAccess - sharedPrivateLinkResources: !empty(sharedPrivateLinkResources) ? sharedPrivateLinkResources : null - } + // sharedPrivateLinkResources: !empty(sharedPrivateLinkResources) ? sharedPrivateLinkResources : null + }, (!empty(sharedPrivateLinkResources) ? { + sharedPrivateLinkResources: sharedPrivateLinkResources + } : {})) } module workspace_computes 'computes/deploy.bicep' = [for compute in computes: { From 27f05f10263e3c9e37de8fc153d71f0864fce151 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 15:38:53 +0200 Subject: [PATCH 16/27] Update to latest --- .../workspaces/.parameters/parameters.json | 5 +---- .../workspaces/deploy.bicep | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 24cfb892f8..3cefc9e8cd 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -46,9 +46,6 @@ "publicNetworkAccess": { "value": "Enabled" }, - "sharedPrivateLinkResources": { - "value": [] - }, "primaryUserAssignedIdentity": { "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" }, @@ -110,7 +107,7 @@ "privateEndpoints": { "value": [ { - "name": "testLink", + //"name": "testLink", "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", "service": "amlworkspace" } diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 12d640545f..9958f386a7 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -213,8 +213,8 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { imageBuildCompute: imageBuildCompute primaryUserAssignedIdentity: primaryUserAssignedIdentity publicNetworkAccess: publicNetworkAccess - // sharedPrivateLinkResources: !empty(sharedPrivateLinkResources) ? sharedPrivateLinkResources : null }, (!empty(sharedPrivateLinkResources) ? { + // requires to be added via `union` as neither `[]` nor `null` are supported defaults sharedPrivateLinkResources: sharedPrivateLinkResources } : {})) } From 9e79b8ff43413ec30c982c3ea7154923b0998712 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 16:31:04 +0200 Subject: [PATCH 17/27] Undid last changes for testing --- .../workspaces/deploy.bicep | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 9958f386a7..77fd34e9e0 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -191,7 +191,7 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { tier: sku } identity: identity - properties: union({ + properties: { friendlyName: name storageAccount: associatedStorageAccountResourceId keyVault: associatedKeyVaultResourceId @@ -213,10 +213,8 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { imageBuildCompute: imageBuildCompute primaryUserAssignedIdentity: primaryUserAssignedIdentity publicNetworkAccess: publicNetworkAccess - }, (!empty(sharedPrivateLinkResources) ? { - // requires to be added via `union` as neither `[]` nor `null` are supported defaults sharedPrivateLinkResources: sharedPrivateLinkResources - } : {})) + } } module workspace_computes 'computes/deploy.bicep' = [for compute in computes: { From 67512dbb0f9c97cbcfe56c8d0fd4ee9969d1b944 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 18:17:40 +0200 Subject: [PATCH 18/27] Added shared link test --- .../workspaces/.parameters/parameters.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 3cefc9e8cd..0a49529319 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -112,6 +112,17 @@ "service": "amlworkspace" } ] + }, + "sharedPrivateLinkResources": { + "value": [ + { + "name": "customServiceLink", + "properties": { + "groupId": "vault", + "privateLinkResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" + } + } + ] } } } From afd9bbb46df0915a9febe527d4978e4cbacd2ff0 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 3 May 2022 21:03:20 +0200 Subject: [PATCH 19/27] Removed shared connection --- .../workspaces/.parameters/parameters.json | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 0a49529319..3cefc9e8cd 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -112,17 +112,6 @@ "service": "amlworkspace" } ] - }, - "sharedPrivateLinkResources": { - "value": [ - { - "name": "customServiceLink", - "properties": { - "groupId": "vault", - "privateLinkResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" - } - } - ] } } } From 9f1b5a4150d19037c731deefac8073f5f5ed3d61 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 21:16:12 +0200 Subject: [PATCH 20/27] Changed private link res --- .../workspaces/.parameters/parameters.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 3cefc9e8cd..c6654ea57e 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -112,6 +112,17 @@ "service": "amlworkspace" } ] + }, + "sharedPrivateLinkResources": { + "value": [ + { + "name": "customServiceLink", + "properties": { + "groupId": "amlworkspace", + "privateLinkResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.MachineLearningServices/workspaces/<>-az-mls-x-001" + } + } + ] } } } From f37f89a2f1adaf8729bf08d335bc170dbcd8f338 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 21:17:32 +0200 Subject: [PATCH 21/27] Update to latest --- .../workspaces/.parameters/parameters.json | 11 ----------- .../workspaces/deploy.bicep | 4 ---- .../workspaces/readme.md | 1 - 3 files changed, 16 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index c6654ea57e..3cefc9e8cd 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -112,17 +112,6 @@ "service": "amlworkspace" } ] - }, - "sharedPrivateLinkResources": { - "value": [ - { - "name": "customServiceLink", - "properties": { - "groupId": "amlworkspace", - "privateLinkResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.MachineLearningServices/workspaces/<>-az-mls-x-001" - } - } - ] } } } diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 77fd34e9e0..86f9ea109b 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -135,9 +135,6 @@ param primaryUserAssignedIdentity string = '' ]) param publicNetworkAccess string = 'Disabled' -@sys.description('Optional. The list of shared private link resources in this workspace.') -param sharedPrivateLinkResources array = [] - // ================// // Variables // // ================// @@ -213,7 +210,6 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2021-07-01' = { imageBuildCompute: imageBuildCompute primaryUserAssignedIdentity: primaryUserAssignedIdentity publicNetworkAccess: publicNetworkAccess - sharedPrivateLinkResources: sharedPrivateLinkResources } } diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index 6b8f7e8e3f..79beb99957 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -63,7 +63,6 @@ This module deploys a Machine Learning Services Workspace. | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether requests from Public Network are allowed. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `sharedPrivateLinkResources` | array | `[]` | | The list of shared private link resources in this workspace. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Resource tags. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | From f883c33af141d4e7ead1d251b102bbe8e2eb92b7 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 21:20:10 +0200 Subject: [PATCH 22/27] Updated pipeline --- .../modulePipelines/ms.machinelearningservices.workspaces.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml b/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml index 811ce5a076..6f5d0a1cc8 100644 --- a/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml +++ b/.azuredevops/modulePipelines/ms.machinelearningservices.workspaces.yml @@ -45,6 +45,7 @@ stages: parameters: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: + - path: $(modulePath)/.parameters/min.parameters.json - path: $(modulePath)/.parameters/parameters.json - stage: Publishing From 8e79abe59521f5e2fa6812b3c579197360ed23cb Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 3 May 2022 21:21:01 +0200 Subject: [PATCH 23/27] Update to latest --- .../workspaces/.parameters/parameters.json | 1 - 1 file changed, 1 deletion(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json index 3cefc9e8cd..c6ecc0756d 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/parameters.json @@ -107,7 +107,6 @@ "privateEndpoints": { "value": [ { - //"name": "testLink", "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", "service": "amlworkspace" } From 8e01b7cb0602132b67f86b82c2a5a2e83243bff7 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 4 May 2022 11:25:35 +0200 Subject: [PATCH 24/27] removed test param --- .../workspaces/.parameters/min.parameters.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json index 012526cf1f..ce2af0d8a0 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json @@ -16,9 +16,6 @@ }, "associatedApplicationInsightsResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<>-az-appi-x-001" - }, - "systemAssignedIdentity": { - "value": true } } } From 2da1b75f5c74a7d0fabee45a7e4e07163c99385f Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 4 May 2022 15:25:25 +0200 Subject: [PATCH 25/27] Test with user assigned --- .../workspaces/.parameters/min.parameters.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json index ce2af0d8a0..7c61de3874 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json @@ -16,6 +16,11 @@ }, "associatedApplicationInsightsResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<>-az-appi-x-001" + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + } } } } From b3e86b71cceaae47fb3599bbde16ec5140d3412f Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 4 May 2022 15:39:50 +0200 Subject: [PATCH 26/27] Extended user assigned identity test --- .../workspaces/.parameters/min.parameters.json | 3 +++ arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep | 4 ++-- arm/Microsoft.MachineLearningServices/workspaces/readme.md | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json index 7c61de3874..8d1fcc4395 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json @@ -21,6 +21,9 @@ "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } + }, + "primaryUserAssignedIdentity": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" } } } diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index 86f9ea109b..210a03e794 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -56,10 +56,10 @@ param tags object = {} param enableDefaultTelemetry bool = true // Identity -@sys.description('Optional. Enables system assigned managed identity on the resource.') +@sys.description('Conditional. Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided.') param systemAssignedIdentity bool = false -@sys.description('Optional. The ID(s) to assign to the resource.') +@sys.description('Conditional. The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false.') param userAssignedIdentities object = {} // Diagnostic Settings diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index 79beb99957..1a9a149c50 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -37,6 +37,8 @@ This module deploys a Machine Learning Services Workspace. | `encryptionKeyIdentifier` | string | `''` | Key vault URI to access the encryption key. Required if an 'encryptionIdentity' was provided. | | `encryptionKeyVaultResourceId` | string | `''` | The ResourceID of the keyVault where the customer owned encryption key is present. Required if an 'encryptionIdentity' was provided. | | `primaryUserAssignedIdentity` | string | `''` | The user assigned identity resource id that represents the workspace identity. Required if 'userAssignedIdentities' is not empty and may not be used if 'systemAssignedIdentity' is enabled. | +| `systemAssignedIdentity` | bool | `False` | Enables system assigned managed identity on the resource. Required if `userAssignedIdentities` is not provided. | +| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if `systemAssignedIdentity` is set to false. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | @@ -63,9 +65,7 @@ This module deploys a Machine Learning Services Workspace. | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether requests from Public Network are allowed. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Resource tags. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | ### Parameter Usage: `computes` From 878b9b605b1d8c61975e5579233907e209928365 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 4 May 2022 16:49:29 +0200 Subject: [PATCH 27/27] After successful evaluation switched to system assigned (to simplify) --- .../workspaces/.parameters/min.parameters.json | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json index 8d1fcc4395..012526cf1f 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json +++ b/arm/Microsoft.MachineLearningServices/workspaces/.parameters/min.parameters.json @@ -17,13 +17,8 @@ "associatedApplicationInsightsResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Insights/components/adp-<>-az-appi-x-001" }, - "userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} - } - }, - "primaryUserAssignedIdentity": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + "systemAssignedIdentity": { + "value": true } } }