From 40cad2e6c75cc67bb66d202c186b84224baf04f8 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 12 May 2022 22:32:31 +1000 Subject: [PATCH 1/8] updated event hub module for network rules --- .../namespaces/.parameters/parameters.json | 5 +- .../namespaces/deploy.bicep | 39 ++++++--- .../namespaces/networkRuleSets/deploy.bicep | 69 ++++++++++++++++ .../namespaces/networkRuleSets/readme.md | 82 +++++++++++++++++++ .../namespaces/networkRuleSets/version.json | 4 + arm/Microsoft.EventHub/namespaces/readme.md | 7 +- 6 files changed, 189 insertions(+), 17 deletions(-) create mode 100644 arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep create mode 100644 arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md create mode 100644 arm/Microsoft.EventHub/namespaces/networkRuleSets/version.json diff --git a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json index 73526856e3..6316787a85 100644 --- a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json @@ -105,9 +105,8 @@ "systemAssignedIdentity": { "value": true }, - "networkAcls": { + "networkRuleSets": { "value": { - "bypass": "AzureServices", "defaultAction": "Deny", "virtualNetworkRules": [ { @@ -115,7 +114,7 @@ "action": "Allow" } ], - "ipRules": [] + "trustedServiceAccessEnabled": false } }, "userAssignedIdentities": { diff --git a/arm/Microsoft.EventHub/namespaces/deploy.bicep b/arm/Microsoft.EventHub/namespaces/deploy.bicep index 00529fac2c..da1b044f28 100644 --- a/arm/Microsoft.EventHub/namespaces/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/deploy.bicep @@ -43,8 +43,12 @@ param authorizationRules array = [ @description('Optional. Configuration Details for private endpoints.For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints array = [] -@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny.') -param networkAcls object = {} +@description('Optional. Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') +param networkRuleSets object = { + publicNetworkAccess: 'Enabled' + defaultAction: 'Allow' + trustedServiceAccessEnabled: true +} @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @@ -96,20 +100,26 @@ param disasterRecoveryConfig object = {} @allowed([ 'ArchiveLogs' 'OperationalLogs' + 'AutoScaleLogs' 'KafkaCoordinatorLogs' 'KafkaUserErrorLogs' 'EventHubVNetConnectionEvent' 'CustomerManagedKeyUserLogs' - 'AutoScaleLogs' + 'RuntimeAuditLogs' + 'ApplicationMetricsLogs' + 'AllMetrics' ]) param diagnosticLogCategoriesToEnable array = [ 'ArchiveLogs' 'OperationalLogs' + 'AutoScaleLogs' 'KafkaCoordinatorLogs' 'KafkaUserErrorLogs' 'EventHubVNetConnectionEvent' 'CustomerManagedKeyUserLogs' - 'AutoScaleLogs' + 'RuntimeAuditLogs' + 'ApplicationMetricsLogs' + 'AllMetrics' ] @description('Optional. The name of metrics that will be streamed.') @@ -165,7 +175,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' = { +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' = { name: name_var location: location tags: tags @@ -179,12 +189,6 @@ resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' = zoneRedundant: zoneRedundant isAutoInflateEnabled: isAutoInflateEnabled maximumThroughputUnits: maximumThroughputUnits_var - networkAcls: !empty(networkAcls) ? { - bypass: !empty(networkAcls) ? networkAcls.bypass : null - defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null - virtualNetworkRules: (!empty(networkAcls) && contains(networkAcls, 'virtualNetworkRules')) ? networkAcls.virtualNetworkRules : [] - ipRules: (!empty(networkAcls) && contains(networkAcls, 'ipRules')) ? networkAcls.ipRules : [] - } : null } } @@ -264,6 +268,19 @@ module eventHubNamespace_authorizationRules 'authorizationRules/deploy.bicep' = } }] +module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = { + name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet' + params: { + namespaceName: eventHubNamespace.name + publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : 'Enabled' + defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' + trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true + ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] + virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : [] + enableDefaultTelemetry: enableDefaultTelemetry + } +} + module eventHubNamespace_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-EvhbNamespace-PrivateEndpoint-${index}' params: { diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep new file mode 100644 index 0000000000..9bbae2789c --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep @@ -0,0 +1,69 @@ +@description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.') +param namespaceName string + +@allowed([ + 'Enabled' + 'Disabled' +]) +@description('Optional. This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only.') +param publicNetworkAccess string = 'Enabled' + +@allowed([ + 'Allow' + 'Deny' +]) +@description('Optional. Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules virtualNetworkRules or are being used. This would render the namespace resources inaccessible for data-plane requests if ipRules or virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled"') +param defaultAction string = 'Allow' + +@description('Optional. List of IpRules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".') +param ipRules array = [] + +@allowed([ + true + false +]) +@description('Optional. Value that indicates whether Trusted Service Access is Enabled or not. Default is "true" when publicNetworkAccess is "Enabled".') +param trustedServiceAccessEnabled bool = true + +@description('Optional. List VirtualNetwork Rules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".') +param virtualNetworkRules array = [] + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { + name: namespaceName +} + +resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2021-11-01' = { + name: 'default' + parent: namespace + properties: { + publicNetworkAccess: !(empty(ipRules)) || !(empty(virtualNetworkRules)) ? null : publicNetworkAccess + defaultAction: !(empty(ipRules)) || !(empty(virtualNetworkRules)) ? 'Deny' : defaultAction + trustedServiceAccessEnabled: trustedServiceAccessEnabled + ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules + virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : virtualNetworkRules + } +} + +@description('The name of the network rule set.') +output name string = networkRuleSet.name + +@description('The resource ID of the network rule set.') +output resourceId string = networkRuleSet.id + +@description('The name of the resource group the network rule set was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md new file mode 100644 index 0000000000..d11160f9e8 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md @@ -0,0 +1,82 @@ +# EventHub Namespaces NetworkRuleSets `[Microsoft.EventHub/namespaces/networkRuleSets]` + +This module deploys EventHub Namespaces NetworkRuleSets. +// TODO: Replace Resource and fill in description + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.EventHub/namespaces/networkRuleSets` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/networkRuleSets) | + +## Parameters + +**Conditional parameters** +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `namespaceName` | string | The name of the parent event hub namespace. Required if the template is used in a standalone deployment. | + +**Optional parameters** +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules virtualNetworkRules or are being used. This would render the namespace resources inaccessible for data-plane requests if ipRules or virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled" | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `ipRules` | array | `[]` | | List of IpRules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled". | +| `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only. | +| `trustedServiceAccessEnabled` | bool | `True` | `[True, False]` | Value that indicates whether Trusted Service Access is Enabled or not. Default is "true" when publicNetworkAccess is "Enabled". | +| `virtualNetworkRules` | array | `[]` | | List VirtualNetwork Rules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled". | + + +### Parameter Usage: `` + +Contains an array of subnets that this Event Hub Namespace is exposed to via Service Endpoints. You can enable the `ignoreMissingVnetServiceEndpoint` if you wish to add this virtual network to Event Hub Namespace but do not have an existing service endpoint. + +```json +"virtualNetworkRules": { + "value": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "subnet": { + "id": "/subscriptions/<>/resourcegroups/<>/providers/Microsoft.Network/virtualNetworks/<>/subnets/<>" + } + }, + { + "ignoreMissingVnetServiceEndpoint": false, + "subnet": { + "id": "/subscriptions/<>/resourcegroups/<>/providers/Microsoft.Network/virtualNetworks/<>/subnets/<>" + } + } +} +``` + +### Parameter Usage: `` + +Contains an array of objects for the public IP ranges you want to allow via the Event Hub Namespace firewall. Supports IPv4 address or CIDR. + +```json +"ipRules": { + "value": [ + { + "action": "Allow", + "ipMask": "a.b.c.d/e" + }, + { + "action": "Allow", + "ipMask": "x.x.x.x/x" + } +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the network rule set. | +| `resourceGroupName` | string | The name of the resource group the network rule set was created in. | +| `resourceId` | string | The resource ID of the network rule set. | diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/version.json b/arm/Microsoft.EventHub/namespaces/networkRuleSets/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.EventHub/namespaces/readme.md b/arm/Microsoft.EventHub/namespaces/readme.md index f0f7c95209..73bc229e64 100644 --- a/arm/Microsoft.EventHub/namespaces/readme.md +++ b/arm/Microsoft.EventHub/namespaces/readme.md @@ -14,12 +14,13 @@ This module deploys an event hub namespace. | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | -| `Microsoft.EventHub/namespaces` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces) | +| `Microsoft.EventHub/namespaces` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces) | | `Microsoft.EventHub/namespaces/authorizationRules` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/authorizationRules) | | `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/disasterRecoveryConfigs) | | `Microsoft.EventHub/namespaces/eventhubs` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs) | | `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/authorizationRules) | | `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/networkRuleSets` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/networkRuleSets) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | @@ -32,7 +33,7 @@ This module deploys an event hub namespace. | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Event Hub namespace. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[ArchiveLogs, OperationalLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, AutoScaleLogs]` | `[ArchiveLogs, OperationalLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, AutoScaleLogs]` | The name of logs that will be streamed. | +| `diagnosticLogCategoriesToEnable` | array | `[ArchiveLogs, OperationalLogs, AutoScaleLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, RuntimeAuditLogs, ApplicationMetricsLogs, AllMetrics]` | `[ArchiveLogs, OperationalLogs, AutoScaleLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, RuntimeAuditLogs, ApplicationMetricsLogs, AllMetrics]` | The name of logs that will be streamed. | | `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. | @@ -46,7 +47,7 @@ This module deploys an event hub namespace. | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `maximumThroughputUnits` | int | `1` | | Upper limit of throughput units when AutoInflate is enabled, value should be within 0 to 20 throughput units. | | `name` | string | `''` | | The name of the event hub namespace. If no name is provided, then unique name will be created. | -| `networkAcls` | object | `{object}` | | Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny. | +| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints.For security reasons, it is recommended to use private endpoints whenever possible. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `skuCapacity` | int | `1` | | Event Hub plan scale-out capacity of the resource. | From 61fa0e861c726e344103fee1a00e76fa62967aa4 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Thu, 12 May 2022 23:24:30 +1000 Subject: [PATCH 2/8] updated API versions on event hub --- .../namespaces/.bicep/nested_rbac.bicep | 2 +- .../namespaces/authorizationRules/deploy.bicep | 4 ++-- .../namespaces/authorizationRules/readme.md | 2 +- arm/Microsoft.EventHub/namespaces/deploy.bicep | 2 -- .../namespaces/disasterRecoveryConfigs/deploy.bicep | 4 ++-- .../namespaces/disasterRecoveryConfigs/readme.md | 2 +- .../namespaces/eventhubs/.bicep/nested_rbac.bicep | 2 +- .../eventhubs/authorizationRules/deploy.bicep | 6 +++--- .../eventhubs/authorizationRules/readme.md | 2 +- .../namespaces/eventhubs/consumergroups/deploy.bicep | 6 +++--- .../namespaces/eventhubs/consumergroups/readme.md | 2 +- .../namespaces/eventhubs/deploy.bicep | 4 ++-- .../namespaces/eventhubs/readme.md | 6 +++--- arm/Microsoft.EventHub/namespaces/readme.md | 12 ++++++------ 14 files changed, 27 insertions(+), 29 deletions(-) diff --git a/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep b/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep index d3ff1c59e2..e574141c4e 100644 --- a/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.EventHub/namespaces/.bicep/nested_rbac.bicep @@ -42,7 +42,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource eventHubNamespace 'Microsoft.EventHub/namespaces@2017-04-01' existing = { +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: last(split(resourceId, '/')) } diff --git a/arm/Microsoft.EventHub/namespaces/authorizationRules/deploy.bicep b/arm/Microsoft.EventHub/namespaces/authorizationRules/deploy.bicep index 743ba22f23..464fd3906e 100644 --- a/arm/Microsoft.EventHub/namespaces/authorizationRules/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/authorizationRules/deploy.bicep @@ -27,11 +27,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName } -resource authorizationRule 'Microsoft.EventHub/namespaces/AuthorizationRules@2017-04-01' = { +resource authorizationRule 'Microsoft.EventHub/namespaces/AuthorizationRules@2021-11-01' = { name: name parent: namespace properties: { diff --git a/arm/Microsoft.EventHub/namespaces/authorizationRules/readme.md b/arm/Microsoft.EventHub/namespaces/authorizationRules/readme.md index 67d6117b3a..d51b8b653d 100644 --- a/arm/Microsoft.EventHub/namespaces/authorizationRules/readme.md +++ b/arm/Microsoft.EventHub/namespaces/authorizationRules/readme.md @@ -12,7 +12,7 @@ This module deploys an EventHub Namespace Authorization Rule | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/authorizationRules` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/authorizationRules) | +| `Microsoft.EventHub/namespaces/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/authorizationRules) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/deploy.bicep b/arm/Microsoft.EventHub/namespaces/deploy.bicep index da1b044f28..17a6c63647 100644 --- a/arm/Microsoft.EventHub/namespaces/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/deploy.bicep @@ -107,7 +107,6 @@ param disasterRecoveryConfig object = {} 'CustomerManagedKeyUserLogs' 'RuntimeAuditLogs' 'ApplicationMetricsLogs' - 'AllMetrics' ]) param diagnosticLogCategoriesToEnable array = [ 'ArchiveLogs' @@ -119,7 +118,6 @@ param diagnosticLogCategoriesToEnable array = [ 'CustomerManagedKeyUserLogs' 'RuntimeAuditLogs' 'ApplicationMetricsLogs' - 'AllMetrics' ] @description('Optional. The name of metrics that will be streamed.') diff --git a/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/deploy.bicep b/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/deploy.bicep index c8cb528758..ce678348e0 100644 --- a/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/deploy.bicep @@ -22,11 +22,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName } -resource disasterRecoveryConfig 'Microsoft.EventHub/namespaces/disasterRecoveryConfigs@2017-04-01' = { +resource disasterRecoveryConfig 'Microsoft.EventHub/namespaces/disasterRecoveryConfigs@2021-11-01' = { name: name parent: namespace properties: { diff --git a/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/readme.md b/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/readme.md index 83c1445822..d66effcad9 100644 --- a/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/readme.md +++ b/arm/Microsoft.EventHub/namespaces/disasterRecoveryConfigs/readme.md @@ -12,7 +12,7 @@ This module deploys an EventHub Namespace Disaster Recovery Config | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/disasterRecoveryConfigs) | +| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/disasterRecoveryConfigs) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep index 151706bbcb..1bfa9a5eaa 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/.bicep/nested_rbac.bicep @@ -40,7 +40,7 @@ var builtInRoleNames = { 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-06-01-preview' existing = { +resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-11-01' existing = { name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}}' } diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/deploy.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/deploy.bicep index 8690cf47ed..db796b1e96 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/deploy.bicep @@ -30,15 +30,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName - resource eventhub 'eventHubs@2021-06-01-preview' existing = { + resource eventhub 'eventHubs@2021-11-01' existing = { name: eventHubName } } -resource authorizationRule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2021-06-01-preview' = { +resource authorizationRule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2021-11-01' = { name: name parent: namespace::eventhub properties: { diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/readme.md b/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/readme.md index f33c1c6fd7..a188dffa89 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/readme.md +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/authorizationRules/readme.md @@ -12,7 +12,7 @@ This module deploys an EventHub Namespace EventHubs Authorization Rule | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/authorizationRules) | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/authorizationRules) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/deploy.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/deploy.bicep index 1b03bf2aa8..c6f9f500f3 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/deploy.bicep @@ -25,15 +25,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName - resource eventhub 'eventHubs@2021-06-01-preview' existing = { + resource eventhub 'eventHubs@2021-11-01' existing = { name: eventHubName } } -resource consumerGroup 'Microsoft.EventHub/namespaces/eventhubs/consumergroups@2021-06-01-preview' = { +resource consumerGroup 'Microsoft.EventHub/namespaces/eventhubs/consumergroups@2021-11-01' = { name: name parent: namespace::eventhub properties: { diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/readme.md b/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/readme.md index c643cd19de..9699fc7968 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/readme.md +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/consumergroups/readme.md @@ -12,7 +12,7 @@ This module deploys an EventHub Namespace EventHubs Consumer Group | Resource Type | API Version | | :-- | :-- | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/consumergroups) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep b/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep index 50323cceca..178cf4c53e 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/deploy.bicep @@ -134,11 +134,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = { +resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = { name: namespaceName } -resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-06-01-preview' = { +resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-11-01' = { name: name parent: namespace properties: captureDescriptionEnabled ? eventHubPropertiesWithCapture : eventHubPropertiesSimple diff --git a/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md b/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md index d928b62dbe..ad6e523ce5 100644 --- a/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md +++ b/arm/Microsoft.EventHub/namespaces/eventhubs/readme.md @@ -14,9 +14,9 @@ This module deploys an Event Hub. | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | -| `Microsoft.EventHub/namespaces/eventhubs` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs) | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/authorizationRules) | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/eventhubs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs) | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/authorizationRules) | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/consumergroups) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/readme.md b/arm/Microsoft.EventHub/namespaces/readme.md index 73bc229e64..81786723ab 100644 --- a/arm/Microsoft.EventHub/namespaces/readme.md +++ b/arm/Microsoft.EventHub/namespaces/readme.md @@ -15,11 +15,11 @@ This module deploys an event hub namespace. | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.EventHub/namespaces` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces) | -| `Microsoft.EventHub/namespaces/authorizationRules` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/authorizationRules) | -| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/disasterRecoveryConfigs) | -| `Microsoft.EventHub/namespaces/eventhubs` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs) | -| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/authorizationRules) | -| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/consumergroups) | +| `Microsoft.EventHub/namespaces/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/authorizationRules) | +| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/disasterRecoveryConfigs) | +| `Microsoft.EventHub/namespaces/eventhubs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs) | +| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/authorizationRules) | +| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/consumergroups) | | `Microsoft.EventHub/namespaces/networkRuleSets` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/networkRuleSets) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | @@ -33,7 +33,7 @@ This module deploys an event hub namespace. | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Event Hub namespace. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogCategoriesToEnable` | array | `[ArchiveLogs, OperationalLogs, AutoScaleLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, RuntimeAuditLogs, ApplicationMetricsLogs, AllMetrics]` | `[ArchiveLogs, OperationalLogs, AutoScaleLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, RuntimeAuditLogs, ApplicationMetricsLogs, AllMetrics]` | The name of logs that will be streamed. | +| `diagnosticLogCategoriesToEnable` | array | `[ArchiveLogs, OperationalLogs, AutoScaleLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, RuntimeAuditLogs, ApplicationMetricsLogs]` | `[ArchiveLogs, OperationalLogs, AutoScaleLogs, KafkaCoordinatorLogs, KafkaUserErrorLogs, EventHubVNetConnectionEvent, CustomerManagedKeyUserLogs, RuntimeAuditLogs, ApplicationMetricsLogs]` | The name of logs that will be streamed. | | `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | | `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | | `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. | From 5d4b455121482fa3c878405937c89912e893dee2 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 13 May 2022 12:27:33 +1000 Subject: [PATCH 3/8] updated readme for network rules --- arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md index d11160f9e8..59922fd0a0 100644 --- a/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md @@ -52,6 +52,7 @@ Contains an array of subnets that this Event Hub Namespace is exposed to via Ser "id": "/subscriptions/<>/resourcegroups/<>/providers/Microsoft.Network/virtualNetworks/<>/subnets/<>" } } + ] } ``` @@ -70,6 +71,7 @@ Contains an array of objects for the public IP ranges you want to allow via the "action": "Allow", "ipMask": "x.x.x.x/x" } + ] } ``` From 9e278be9055d0920a27d961a00c128234d9b3615 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 13 May 2022 12:29:03 +1000 Subject: [PATCH 4/8] updated readme --- arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md | 1 - 1 file changed, 1 deletion(-) diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md index 59922fd0a0..e90e650a45 100644 --- a/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md @@ -1,7 +1,6 @@ # EventHub Namespaces NetworkRuleSets `[Microsoft.EventHub/namespaces/networkRuleSets]` This module deploys EventHub Namespaces NetworkRuleSets. -// TODO: Replace Resource and fill in description ## Navigation From 839bd2b6327e899101fb0d883072a57a7dd34e0b Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 13 May 2022 21:40:51 +1000 Subject: [PATCH 5/8] Removed defaults from the bicep module --- .../namespaces/.parameters/parameters.json | 6 ++++-- arm/Microsoft.EventHub/namespaces/deploy.bicep | 10 +++------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json index 6316787a85..9b66b65378 100644 --- a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json @@ -110,8 +110,10 @@ "defaultAction": "Deny", "virtualNetworkRules": [ { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001", - "action": "Allow" + "subnet": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001" + }, + "ignoreMissingVnetServiceEndpoint": true } ], "trustedServiceAccessEnabled": false diff --git a/arm/Microsoft.EventHub/namespaces/deploy.bicep b/arm/Microsoft.EventHub/namespaces/deploy.bicep index 17a6c63647..a45f2073e5 100644 --- a/arm/Microsoft.EventHub/namespaces/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/deploy.bicep @@ -44,11 +44,7 @@ param authorizationRules array = [ param privateEndpoints array = [] @description('Optional. Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') -param networkRuleSets object = { - publicNetworkAccess: 'Enabled' - defaultAction: 'Allow' - trustedServiceAccessEnabled: true -} +param networkRuleSets object = {} @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @@ -266,13 +262,13 @@ module eventHubNamespace_authorizationRules 'authorizationRules/deploy.bicep' = } }] -module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = { +module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!empty(networkRuleSets)) { name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet' params: { namespaceName: eventHubNamespace.name publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : 'Enabled' defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' - trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true + trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : null ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : [] enableDefaultTelemetry: enableDefaultTelemetry From cd810553b785ef4632458a846ee28e0150c80888 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 13 May 2022 21:42:49 +1000 Subject: [PATCH 6/8] restored to use defaults --- arm/Microsoft.EventHub/namespaces/deploy.bicep | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.EventHub/namespaces/deploy.bicep b/arm/Microsoft.EventHub/namespaces/deploy.bicep index a45f2073e5..17a6c63647 100644 --- a/arm/Microsoft.EventHub/namespaces/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/deploy.bicep @@ -44,7 +44,11 @@ param authorizationRules array = [ param privateEndpoints array = [] @description('Optional. Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') -param networkRuleSets object = {} +param networkRuleSets object = { + publicNetworkAccess: 'Enabled' + defaultAction: 'Allow' + trustedServiceAccessEnabled: true +} @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @@ -262,13 +266,13 @@ module eventHubNamespace_authorizationRules 'authorizationRules/deploy.bicep' = } }] -module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!empty(networkRuleSets)) { +module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = { name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet' params: { namespaceName: eventHubNamespace.name publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : 'Enabled' defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow' - trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : null + trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : [] virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : [] enableDefaultTelemetry: enableDefaultTelemetry From bca9549fe6a6b3ca75f05c5c376be746d32e0375 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 14 May 2022 07:16:52 +1000 Subject: [PATCH 7/8] Update arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep Co-authored-by: Alexander Sehr --- arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep index 9bbae2789c..cc805c0803 100644 --- a/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep @@ -51,7 +51,7 @@ resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2021-11-0 name: 'default' parent: namespace properties: { - publicNetworkAccess: !(empty(ipRules)) || !(empty(virtualNetworkRules)) ? null : publicNetworkAccess + publicNetworkAccess: !empty(ipRules) || !empty(virtualNetworkRules) ? null : publicNetworkAccess defaultAction: !(empty(ipRules)) || !(empty(virtualNetworkRules)) ? 'Deny' : defaultAction trustedServiceAccessEnabled: trustedServiceAccessEnabled ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules From 3c289afc562398c0eb867330df336fdfdf871632 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 14 May 2022 08:12:07 +1000 Subject: [PATCH 8/8] Updated Namespace and networkRules config --- .../namespaces/.parameters/parameters.json | 6 ++++++ arm/Microsoft.EventHub/namespaces/deploy.bicep | 8 ++------ .../namespaces/networkRuleSets/deploy.bicep | 6 +++--- .../namespaces/networkRuleSets/readme.md | 4 ++-- 4 files changed, 13 insertions(+), 11 deletions(-) diff --git a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json index 9b66b65378..33cf7d93bf 100644 --- a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json @@ -108,6 +108,12 @@ "networkRuleSets": { "value": { "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.10.10.10" + } + ], "virtualNetworkRules": [ { "subnet": { diff --git a/arm/Microsoft.EventHub/namespaces/deploy.bicep b/arm/Microsoft.EventHub/namespaces/deploy.bicep index 17a6c63647..c239d9c2c1 100644 --- a/arm/Microsoft.EventHub/namespaces/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/deploy.bicep @@ -44,11 +44,7 @@ param authorizationRules array = [ param privateEndpoints array = [] @description('Optional. Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.') -param networkRuleSets object = { - publicNetworkAccess: 'Enabled' - defaultAction: 'Allow' - trustedServiceAccessEnabled: true -} +param networkRuleSets object = {} @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @@ -266,7 +262,7 @@ module eventHubNamespace_authorizationRules 'authorizationRules/deploy.bicep' = } }] -module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = { +module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!empty(networkRuleSets)) { name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet' params: { namespaceName: eventHubNamespace.name diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep index cc805c0803..9940f008a6 100644 --- a/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/deploy.bicep @@ -12,7 +12,7 @@ param publicNetworkAccess string = 'Enabled' 'Allow' 'Deny' ]) -@description('Optional. Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules virtualNetworkRules or are being used. This would render the namespace resources inaccessible for data-plane requests if ipRules or virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled"') +@description('Optional. Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules/virtualNetworkRules or are being used. If ipRules/virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled", setting this to "Deny" would render the namespace resources inaccessible for data-plane requests') param defaultAction string = 'Allow' @description('Optional. List of IpRules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".') @@ -22,7 +22,7 @@ param ipRules array = [] true false ]) -@description('Optional. Value that indicates whether Trusted Service Access is Enabled or not. Default is "true" when publicNetworkAccess is "Enabled".') +@description('Optional. Value that indicates whether Trusted Service Access is Enabled or not. Default is "true".') param trustedServiceAccessEnabled bool = true @description('Optional. List VirtualNetwork Rules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".') @@ -52,7 +52,7 @@ resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2021-11-0 parent: namespace properties: { publicNetworkAccess: !empty(ipRules) || !empty(virtualNetworkRules) ? null : publicNetworkAccess - defaultAction: !(empty(ipRules)) || !(empty(virtualNetworkRules)) ? 'Deny' : defaultAction + defaultAction: !empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction trustedServiceAccessEnabled: trustedServiceAccessEnabled ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : virtualNetworkRules diff --git a/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md index e90e650a45..46c9af2331 100644 --- a/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.EventHub/namespaces/networkRuleSets/readme.md @@ -24,11 +24,11 @@ This module deploys EventHub Namespaces NetworkRuleSets. **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules virtualNetworkRules or are being used. This would render the namespace resources inaccessible for data-plane requests if ipRules or virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled" | +| `defaultAction` | string | `'Allow'` | `[Allow, Deny]` | Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules/virtualNetworkRules or are being used. If ipRules/virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled", setting this to "Deny" would render the namespace resources inaccessible for data-plane requests | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `ipRules` | array | `[]` | | List of IpRules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled". | | `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only. | -| `trustedServiceAccessEnabled` | bool | `True` | `[True, False]` | Value that indicates whether Trusted Service Access is Enabled or not. Default is "true" when publicNetworkAccess is "Enabled". | +| `trustedServiceAccessEnabled` | bool | `True` | `[True, False]` | Value that indicates whether Trusted Service Access is Enabled or not. Default is "true". | | `virtualNetworkRules` | array | `[]` | | List VirtualNetwork Rules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled". |