Azure · ahmadabdalla · May 17, 2022 · May 12, 2022 · May 12, 2022 · May 13, 2022
@@ -42,7 +42,7 @@ var builtInRoleNames = {
   'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
 }
 
-resource eventHubNamespace 'Microsoft.EventHub/namespaces@2017-04-01' existing = {
+resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = {
   name: last(split(resourceId, '/'))
 }
 

@@ -105,17 +105,24 @@
         "systemAssignedIdentity": {
             "value": true
         },
-        "networkAcls": {
+        "networkRuleSets": {
             "value": {
-                "bypass": "AzureServices",
                 "defaultAction": "Deny",
+                "ipRules": [
+                    {
+                        "action": "Allow",
+                        "ipMask": "10.10.10.10"
+                    }
+                ],
                 "virtualNetworkRules": [
                     {
-                        "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-001",
-                        "action": "Allow"
+                        "subnet": {
+                            "id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-001"
+                        },
+                        "ignoreMissingVnetServiceEndpoint": true
                     }
                 ],
-                "ipRules": []
+                "trustedServiceAccessEnabled": false
             }
         },
         "userAssignedIdentities": {

@@ -27,11 +27,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
-resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = {
+resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = {
   name: namespaceName
 }
 
-resource authorizationRule 'Microsoft.EventHub/namespaces/AuthorizationRules@2017-04-01' = {
+resource authorizationRule 'Microsoft.EventHub/namespaces/AuthorizationRules@2021-11-01' = {
   name: name
   parent: namespace
   properties: {

@@ -12,7 +12,7 @@ This module deploys an EventHub Namespace Authorization Rule
 
 | Resource Type | API Version |
 | :-- | :-- |
-| `Microsoft.EventHub/namespaces/authorizationRules` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/authorizationRules) |
+| `Microsoft.EventHub/namespaces/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/authorizationRules) |
 
 ## Parameters
 

@@ -43,8 +43,8 @@ param authorizationRules array = [
 @description('Optional. Configuration Details for private endpoints.For security reasons, it is recommended to use private endpoints whenever possible.')
 param privateEndpoints array = []
 
-@description('Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. For security reasons, it is recommended to set the DefaultAction Deny.')
-param networkAcls object = {}
+@description('Optional. Networks ACLs, this object contains IPs/Subnets to whitelist or restrict access to private endpoints only. For security reasons, it is recommended to configure this object on the Namespace.')
+param networkRuleSets object = {}
 
 @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
 @minValue(0)
@@ -96,20 +96,24 @@ param disasterRecoveryConfig object = {}
 @allowed([
   'ArchiveLogs'
   'OperationalLogs'
+  'AutoScaleLogs'
   'KafkaCoordinatorLogs'
   'KafkaUserErrorLogs'
   'EventHubVNetConnectionEvent'
   'CustomerManagedKeyUserLogs'
-  'AutoScaleLogs'
+  'RuntimeAuditLogs'
+  'ApplicationMetricsLogs'
 ])
 param diagnosticLogCategoriesToEnable array = [
   'ArchiveLogs'
   'OperationalLogs'
+  'AutoScaleLogs'
   'KafkaCoordinatorLogs'
   'KafkaUserErrorLogs'
   'EventHubVNetConnectionEvent'
   'CustomerManagedKeyUserLogs'
-  'AutoScaleLogs'
+  'RuntimeAuditLogs'
+  'ApplicationMetricsLogs'
 ]
 
 @description('Optional. The name of metrics that will be streamed.')
@@ -165,7 +169,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
-resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' = {
+resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-11-01' = {
   name: name_var
   location: location
   tags: tags
@@ -179,12 +183,6 @@ resource eventHubNamespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' =
     zoneRedundant: zoneRedundant
     isAutoInflateEnabled: isAutoInflateEnabled
     maximumThroughputUnits: maximumThroughputUnits_var
-    networkAcls: !empty(networkAcls) ? {
-      bypass: !empty(networkAcls) ? networkAcls.bypass : null
-      defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null
-      virtualNetworkRules: (!empty(networkAcls) && contains(networkAcls, 'virtualNetworkRules')) ? networkAcls.virtualNetworkRules : []
-      ipRules: (!empty(networkAcls) && contains(networkAcls, 'ipRules')) ? networkAcls.ipRules : []
-    } : null
   }
 }
 
@@ -264,6 +262,19 @@ module eventHubNamespace_authorizationRules 'authorizationRules/deploy.bicep' =
   }
 }]
 
+module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!empty(networkRuleSets)) {
+  name: '${uniqueString(deployment().name, location)}-EvhbNamespace-NetworkRuleSet'
+  params: {
+    namespaceName: eventHubNamespace.name
+    publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : 'Enabled'
+    defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : 'Allow'
+    trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true
+    ipRules: contains(networkRuleSets, 'ipRules') ? networkRuleSets.ipRules : []
+    virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? networkRuleSets.virtualNetworkRules : []
+    enableDefaultTelemetry: enableDefaultTelemetry
+  }
+}
+
 module eventHubNamespace_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: {
   name: '${uniqueString(deployment().name, location)}-EvhbNamespace-PrivateEndpoint-${index}'
   params: {

@@ -22,11 +22,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
-resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = {
+resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = {
   name: namespaceName
 }
 
-resource disasterRecoveryConfig 'Microsoft.EventHub/namespaces/disasterRecoveryConfigs@2017-04-01' = {
+resource disasterRecoveryConfig 'Microsoft.EventHub/namespaces/disasterRecoveryConfigs@2021-11-01' = {
   name: name
   parent: namespace
   properties: {

@@ -12,7 +12,7 @@ This module deploys an EventHub Namespace Disaster Recovery Config
 
 | Resource Type | API Version |
 | :-- | :-- |
-| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2017-04-01/namespaces/disasterRecoveryConfigs) |
+| `Microsoft.EventHub/namespaces/disasterRecoveryConfigs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/disasterRecoveryConfigs) |
 
 ## Parameters
 

@@ -40,7 +40,7 @@ var builtInRoleNames = {
   'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
 }
 
-resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-06-01-preview' existing = {
+resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-11-01' existing = {
   name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}}'
 }
 

@@ -30,15 +30,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
-resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = {
+resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = {
   name: namespaceName
 
-  resource eventhub 'eventHubs@2021-06-01-preview' existing = {
+  resource eventhub 'eventHubs@2021-11-01' existing = {
     name: eventHubName
   }
 }
 
-resource authorizationRule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2021-06-01-preview' = {
+resource authorizationRule 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules@2021-11-01' = {
   name: name
   parent: namespace::eventhub
   properties: {

@@ -12,7 +12,7 @@ This module deploys an EventHub Namespace EventHubs Authorization Rule
 
 | Resource Type | API Version |
 | :-- | :-- |
-| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/authorizationRules) |
+| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/authorizationRules) |
 
 ## Parameters
 

@@ -25,15 +25,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
-resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = {
+resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = {
   name: namespaceName
 
-  resource eventhub 'eventHubs@2021-06-01-preview' existing = {
+  resource eventhub 'eventHubs@2021-11-01' existing = {
     name: eventHubName
   }
 }
 
-resource consumerGroup 'Microsoft.EventHub/namespaces/eventhubs/consumergroups@2021-06-01-preview' = {
+resource consumerGroup 'Microsoft.EventHub/namespaces/eventhubs/consumergroups@2021-11-01' = {
   name: name
   parent: namespace::eventhub
   properties: {

@@ -12,7 +12,7 @@ This module deploys an EventHub Namespace EventHubs Consumer Group
 
 | Resource Type | API Version |
 | :-- | :-- |
-| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/consumergroups) |
+| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/consumergroups) |
 
 ## Parameters
 

@@ -134,11 +134,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
-resource namespace 'Microsoft.EventHub/namespaces@2021-06-01-preview' existing = {
+resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = {
   name: namespaceName
 }
 
-resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-06-01-preview' = {
+resource eventHub 'Microsoft.EventHub/namespaces/eventhubs@2021-11-01' = {
   name: name
   parent: namespace
   properties: captureDescriptionEnabled ? eventHubPropertiesWithCapture : eventHubPropertiesSimple

@@ -14,9 +14,9 @@ This module deploys an Event Hub.
 | :-- | :-- |
 | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) |
-| `Microsoft.EventHub/namespaces/eventhubs` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs) |
-| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/authorizationRules) |
-| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-06-01-preview/namespaces/eventhubs/consumergroups) |
+| `Microsoft.EventHub/namespaces/eventhubs` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs) |
+| `Microsoft.EventHub/namespaces/eventhubs/authorizationRules` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/authorizationRules) |
+| `Microsoft.EventHub/namespaces/eventhubs/consumergroups` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventHub/2021-11-01/namespaces/eventhubs/consumergroups) |
 
 ## Parameters
 

@@ -0,0 +1,69 @@
+@description('Conditional. The name of the parent event hub namespace. Required if the template is used in a standalone deployment.')
+param namespaceName string
+
+@allowed([
+  'Enabled'
+  'Disabled'
+])
+@description('Optional. This determines if traffic is allowed over public network. Default it is "Enabled". If set to "Disabled", traffic to this namespace will be restricted over Private Endpoints only.')
+param publicNetworkAccess string = 'Enabled'
+
+@allowed([
+  'Allow'
+  'Deny'
+])
+@description('Optional. Default Action for Network Rule Set. Default is "Allow". Will be set to "Deny" if ipRules/virtualNetworkRules or are being used. If ipRules/virtualNetworkRules are not used and PublicNetworkAccess is set to "Disabled", setting this to "Deny" would render the namespace resources inaccessible for data-plane requests')
+param defaultAction string = 'Allow'
+
+@description('Optional. List of IpRules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".')
+param ipRules array = []
+
+@allowed([
+  true
+  false
+])
+@description('Optional. Value that indicates whether Trusted Service Access is Enabled or not. Default is "true".')
+param trustedServiceAccessEnabled bool = true
+
+@description('Optional. List VirtualNetwork Rules. When used, defaultAction will be set to "Deny" and publicNetworkAccess will be set to "Enabled".')
+param virtualNetworkRules array = []
+
+@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
+param enableDefaultTelemetry bool = true
+
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource namespace 'Microsoft.EventHub/namespaces@2021-11-01' existing = {
+  name: namespaceName
+}
+
+resource networkRuleSet 'Microsoft.EventHub/namespaces/networkRuleSets@2021-11-01' = {
+  name: 'default'
+  parent: namespace
+  properties: {
+    publicNetworkAccess: !empty(ipRules) || !empty(virtualNetworkRules) ? null : publicNetworkAccess
+    defaultAction: !empty(ipRules) || !empty(virtualNetworkRules) ? 'Deny' : defaultAction
+    trustedServiceAccessEnabled: trustedServiceAccessEnabled
+    ipRules: publicNetworkAccess == 'Disabled' ? null : ipRules
+    virtualNetworkRules: publicNetworkAccess == 'Disabled' ? null : virtualNetworkRules
+  }
+}
+
+@description('The name of the network rule set.')
+output name string = networkRuleSet.name
+
+@description('The resource ID of the network rule set.')
+output resourceId string = networkRuleSet.id
+
+@description('The name of the resource group the network rule set was created in.')
+output resourceGroupName string = resourceGroup().name