diff --git a/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep b/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep index d3ff1c59e2..e574141c4e 100644 --- a/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep @@ -42,7 +42,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2017-04-01' existing = { +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: last(split(resourceId, '/')) } diff --git a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json index 73526856e3..33cf7d93bf 100644 --- a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json @@ -105,17 +105,24 @@ "systemAssignedIdentity": { "value": true }, - "networkAcls": { + "networkRuleSets": { "value": { - "bypass": "AzureServices", "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.10.10.10" + } + ], "virtualNetworkRules": [ { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001", - "action": "Allow" + "subnet": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001" + }, + "ignoreMissingVnetServiceEndpoint": true } ], - "ipRules": [] + "trustedServiceAccessEnabled": false } }, "userAssignedIdentities": { diff --git a/arm/Microsoft.EventHub/namespaces/authorizationRules/deploy.bicep b/arm/Microsoft.EventHub/namespaces/authorizationRules/deploy.bicep index 743ba22f23..464fd3906e 100644 --- a/arm/Microsoft.EventHub/namespaces/authorizationRules/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/authorizationRules/deploy.bicep @@ -27,11 +27,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName } -resource authorizationRule 'Microsoft.EventHub/namespaces/AuthorizationRules@2017-04-01' = { +resource authorizationRule 'Microsoft.EventHub/namespaces/AuthorizationRules@2021-11-01' = { name: name parent: namespace properties: { diff --git a/arm/Microsoft.EventHub/namespaces/authorizationRules/readme.md b/arm/Microsoft.EventHub/namespaces/authorizationRules/readme.md index 67d6117b3a..d51b8b653d 100644 --- a/arm/Microsoft.EventHub/namespaces/authorizationRules/readme.md +++ b/arm/Microsoft.EventHub/namespaces/authorizationRules/readme.md @@ -12,7 +12,7 @@ This module deploys an EventHub Namespace Authorization Rule | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/authorizationRules` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/authorizationRules) | +| `Microsoft.EventHub/namespaces/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/authorizationRules) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/deploy.bicep b/arm/Microsoft.EventHub/namespaces/deploy.bicep index 00529fac2c..c239d9c2c1 100644 --- a/arm/Microsoft.EventHub/namespaces/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/deploy.bicep @@ -43,8 +43,8 @@ param authorizationRules array = [ @description('Optional. Configuration Details for private endpoints.For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] -@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny.') -param networkAcls object = {} +@description('Optional. Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') +param networkRuleSets object = {} @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @@ -96,20 +96,24 @@ param disasterRecoveryConfig object = {} @allowed([ 'ArchiveLogs' 'OperationalLogs' + 'AutoScaleLogs' 'KafkaCoordinatorLogs' 'KafkaUserErrorLogs' 'EventHubVNetConnectionEvent' 'CustomerManagedKeyUserLogs' - 'AutoScaleLogs' + 'RuntimeAuditLogs' + 'ApplicationMetricsLogs' ]) param diagnosticLogCategoriesToEnable array = [ 'ArchiveLogs' 'OperationalLogs' + 'AutoScaleLogs' 'KafkaCoordinatorLogs' 'KafkaUserErrorLogs' 'EventHubVNetConnectionEvent' 'CustomerManagedKeyUserLogs' - 'AutoScaleLogs' + 'RuntimeAuditLogs' + 'ApplicationMetricsLogs' ] @description('Optional. The name of metrics that will be streamed.') @@ -165,7 +169,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' = { +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' = { name: name_var location: location tags: tags @@ -179,12 +183,6 @@ resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' = zoneRedundant: zoneRedundant isAutoInflateEnabled: isAutoInflateEnabled maximumThroughputUnits: maximumThroughputUnits_var - networkAcls: !empty(networkAcls) ? { - bypass: !empty(networkAcls) ? networkAcls.bypass : null - defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null - virtualNetworkRules: (!empty(networkAcls) && contains(networkAcls, 'virtualNetworkRules')) ? networkAcls.virtualNetworkRules : [] - ipRules: (!empty(networkAcls) && contains(networkAcls, 'ipRules')) ? networkAcls.ipRules : [] - } : null } } @@ -264,6 +262,19 @@ module eventHubNamespace_authorizationRules 'authorizationRules/deploy.bicep' = } }] +module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!empty(networkRuleSets)) { + name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet' + params: { + namespaceName: eventHubNamespace.name + publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : 'Enabled' + defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' + trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true + ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] + virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : [] + enableDefaultTelemetry: enableDefaultTelemetry + } +} + module eventHubNamespace_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-EvhbNamespace-PrivateEndpoint-${index}' params: { diff --git a/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/deploy.bicep b/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/deploy.bicep index c8cb528758..ce678348e0 100644 --- a/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/deploy.bicep @@ -22,11 +22,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName } -resource disasterRecoveryConfig 'Microsoft.EventHub/namespaces/disasterRecoveryConfigs@2017-04-01' = { +resource disasterRecoveryConfig 'Microsoft.EventHub/namespaces/disasterRecoveryConfigs@2021-11-01' = { name: name parent: namespace properties: { diff --git a/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/readme.md b/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/readme.md index 83c1445822..d66effcad9 100644 --- a/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/readme.md +++ b/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/readme.md @@ -12,7 +12,7 @@ This module deploys an EventHub Namespace Disaster Recovery Config | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/disasterRecoveryConfigs) | +| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/disasterRecoveryConfigs) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep index 151706bbcb..1bfa9a5eaa 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep @@ -40,7 +40,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-06-01-preview' existing = { +resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-11-01' existing = { name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}}' } diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/deploy.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/deploy.bicep index 8690cf47ed..db796b1e96 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/deploy.bicep @@ -30,15 +30,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName - resource eventhub 'eventHubs@2021-06-01-preview' existing = { + resource eventhub 'eventHubs@2021-11-01' existing = { name: eventHubName } } -resource authorizationRule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2021-06-01-preview' = { +resource authorizationRule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2021-11-01' = { name: name parent: namespace::eventhub properties: { diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/readme.md b/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/readme.md index f33c1c6fd7..a188dffa89 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/readme.md +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/readme.md @@ -12,7 +12,7 @@ This module deploys an EventHub Namespace EventHubs Authorization Rule | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/authorizationRules) | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/authorizationRules) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/deploy.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/deploy.bicep index 1b03bf2aa8..c6f9f500f3 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/deploy.bicep @@ -25,15 +25,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName - resource eventhub 'eventHubs@2021-06-01-preview' existing = { + resource eventhub 'eventHubs@2021-11-01' existing = { name: eventHubName } } -resource consumerGroup 'Microsoft.EventHub/namespaces/eventhubs/consumergroups@2021-06-01-preview' = { +resource consumerGroup 'Microsoft.EventHub/namespaces/eventhubs/consumergroups@2021-11-01' = { name: name parent: namespace::eventhub properties: { diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/readme.md b/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/readme.md index c643cd19de..9699fc7968 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/readme.md +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/readme.md @@ -12,7 +12,7 @@ This module deploys an EventHub Namespace EventHubs Consumer Group | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/consumergroups) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep index 50323cceca..178cf4c53e 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep @@ -134,11 +134,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName } -resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-06-01-preview' = { +resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-11-01' = { name: name parent: namespace properties: captureDescriptionEnabled ? eventHubPropertiesWithCapture : eventHubPropertiesSimple diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md b/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md index d928b62dbe..ad6e523ce5 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md @@ -14,9 +14,9 @@ This module deploys an Event Hub. | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | -| `Microsoft.EventHub/namespaces/eventhubs` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs) | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/authorizationRules) | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/eventhubs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs) | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/authorizationRules) | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/consumergroups) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep new file mode 100644 index 0000000000..9940f008a6 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep @@ -0,0 +1,69 @@ +@description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.') +param namespaceName string + +@allowed([ + 'Enabled' + 'Disabled' +]) +@description('Optional. This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only.') +param publicNetworkAccess string = 'Enabled' + +@allowed([ + 'Allow' + 'Deny' +]) +@description('Optional. Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules/virtualNetworkRules or are being used. If ipRules/virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled", setting this to "Deny" would render the namespace resources inaccessible for data-plane requests') +param defaultAction string = 'Allow' + +@description('Optional. List of IpRules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".') +param ipRules array = [] + +@allowed([ + true + false +]) +@description('Optional. Value that indicates whether Trusted Service Access is Enabled or not. Default is "true".') +param trustedServiceAccessEnabled bool = true + +@description('Optional. List VirtualNetwork Rules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".') +param virtualNetworkRules array = [] + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { + name: namespaceName +} + +resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2021-11-01' = { + name: 'default' + parent: namespace + properties: { + publicNetworkAccess: !empty(ipRules) || !empty(virtualNetworkRules) ? null : publicNetworkAccess + defaultAction: !empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction + trustedServiceAccessEnabled: trustedServiceAccessEnabled + ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules + virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : virtualNetworkRules + } +} + +@description('The name of the network rule set.') +output name string = networkRuleSet.name + +@description('The resource ID of the network rule set.') +output resourceId string = networkRuleSet.id + +@description('The name of the resource group the network rule set was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md new file mode 100644 index 0000000000..46c9af2331 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md @@ -0,0 +1,83 @@ +# EventHub Namespaces NetworkRuleSets `[Microsoft.EventHub/namespaces/networkRuleSets]` + +This module deploys EventHub Namespaces NetworkRuleSets. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.EventHub/namespaces/networkRuleSets` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/networkRuleSets) | + +## Parameters + +**Conditional parameters** +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `namespaceName` | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | + +**Optional parameters** +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules/virtualNetworkRules or are being used. If ipRules/virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled", setting this to "Deny" would render the namespace resources inaccessible for data-plane requests | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `ipRules` | array | `[]` | | List of IpRules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled". | +| `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only. | +| `trustedServiceAccessEnabled` | bool | `True` | `[True, False]` | Value that indicates whether Trusted Service Access is Enabled or not. Default is "true". | +| `virtualNetworkRules` | array | `[]` | | List VirtualNetwork Rules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled". | + + +### Parameter Usage: `` + +Contains an array of subnets that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. + +```json +"virtualNetworkRules": { + "value": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "subnet": { + "id": "/subscriptions/<>/resourcegroups/<>/providers/Microsoft.Network/virtualNetworks/<>/subnets/<>" + } + }, + { + "ignoreMissingVnetServiceEndpoint": false, + "subnet": { + "id": "/subscriptions/<>/resourcegroups/<>/providers/Microsoft.Network/virtualNetworks/<>/subnets/<>" + } + } + ] +} +``` + +### Parameter Usage: `` + +Contains an array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. + +```json +"ipRules": { + "value": [ + { + "action": "Allow", + "ipMask": "a.b.c.d/e" + }, + { + "action": "Allow", + "ipMask": "x.x.x.x/x" + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the network rule set. | +| `resourceGroupName` | string | The name of the resource group the network rule set was created in. | +| `resourceId` | string | The resource ID of the network rule set. | diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/version.json b/arm/Microsoft.EventHub/namespaces/networkRuleSets/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.EventHub/namespaces/readme.md b/arm/Microsoft.EventHub/namespaces/readme.md index f0f7c95209..81786723ab 100644 --- a/arm/Microsoft.EventHub/namespaces/readme.md +++ b/arm/Microsoft.EventHub/namespaces/readme.md @@ -14,12 +14,13 @@ This module deploys an event hub namespace. | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | -| `Microsoft.EventHub/namespaces` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces) | -| `Microsoft.EventHub/namespaces/authorizationRules` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/authorizationRules) | -| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/disasterRecoveryConfigs) | -| `Microsoft.EventHub/namespaces/eventhubs` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs) | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/authorizationRules) | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces) | +| `Microsoft.EventHub/namespaces/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/authorizationRules) | +| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/disasterRecoveryConfigs) | +| `Microsoft.EventHub/namespaces/eventhubs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs) | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/authorizationRules) | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/networkRuleSets` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/networkRuleSets) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | @@ -32,7 +33,7 @@ This module deploys an event hub namespace. | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Event Hub namespace. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[ArchiveLogs, OperationalLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, AutoScaleLogs]` | `[ArchiveLogs, OperationalLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, AutoScaleLogs]` | The name of logs that will be streamed. | +| `diagnosticLogCategoriesToEnable` | array | `[ArchiveLogs, OperationalLogs, AutoScaleLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, RuntimeAuditLogs, ApplicationMetricsLogs]` | `[ArchiveLogs, OperationalLogs, AutoScaleLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, RuntimeAuditLogs, ApplicationMetricsLogs]` | The name of logs that will be streamed. | | `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. | @@ -46,7 +47,7 @@ This module deploys an event hub namespace. | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maximumThroughputUnits` | int | `1` | | Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | | `name` | string | `''` | | The name of the event hub namespace. If no name is provided, then unique name will be created. | -| `networkAcls` | object | `{object}` | | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. | +| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints.For security reasons, it is recommended to use private endpoints whenever possible. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `skuCapacity` | int | `1` | | Event Hub plan scale-out capacity of the resource. |