diff --git a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml index 438cd6d3af..651f718237 100644 --- a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml +++ b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml @@ -46,6 +46,7 @@ stages: removeDeployment: '${{ parameters.removeDeployment }}' deploymentBlocks: - path: $(modulePath)/.parameters/parameters.json + - path: $(modulePath)/.parameters/speech.parameters.json - stage: Publishing displayName: Publishing diff --git a/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 0e3f625a39..0000000000 --- a/arm/Microsoft.AppConfiguration/configurationStores/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) - customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint.name}/default' - properties: { - privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { - name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) - properties: { - privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] - } - }] - } -} diff --git a/arm/Microsoft.AppConfiguration/configurationStores/deploy.bicep b/arm/Microsoft.AppConfiguration/configurationStores/deploy.bicep index 17aad36691..7e48dd6af2 100644 --- a/arm/Microsoft.AppConfiguration/configurationStores/deploy.bicep +++ b/arm/Microsoft.AppConfiguration/configurationStores/deploy.bicep @@ -188,13 +188,23 @@ module appConfiguration_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, } }] -module appConfiguration_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-AppConfig-PrivateEndpoint-${index}' +module appConfiguration_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-appConfiguration-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: appConfiguration.id - privateEndpointVnetLocation: empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - privateEndpointObj: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(appConfiguration.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: appConfiguration.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.AppConfiguration/configurationStores/readme.md b/arm/Microsoft.AppConfiguration/configurationStores/readme.md index 7a8f5b4714..017d296933 100644 --- a/arm/Microsoft.AppConfiguration/configurationStores/readme.md +++ b/arm/Microsoft.AppConfiguration/configurationStores/readme.md @@ -18,7 +18,7 @@ This module deploys an App Configuration Store. | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -187,7 +187,6 @@ roleAssignments: [

-======= ### Parameter Usage: `privateEndpoints` To use Private Endpoint the following dependencies must be deployed: @@ -265,7 +264,6 @@ privateEndpoints: [

->>>>>>> 3c13c7e234f0efcae26a25417453c58843d2002d ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 26e201e43b..0000000000 --- a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,52 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? ((empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds)) : []) - customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = { - name: '${privateEndpoint_var.name}/default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } - dependsOn: [ - privateEndpoint - ] -} diff --git a/arm/Microsoft.Automation/automationAccounts/deploy.bicep b/arm/Microsoft.Automation/automationAccounts/deploy.bicep index b663569a00..b076c71097 100644 --- a/arm/Microsoft.Automation/automationAccounts/deploy.bicep +++ b/arm/Microsoft.Automation/automationAccounts/deploy.bicep @@ -352,13 +352,23 @@ resource automationAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSett scope: automationAccount } -module automationAccount_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { - name: '${uniqueString(deployment().name, location)}-AutoAccount-PrivateEndpoint-${index}' +module automationAccount_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-AutomationAccount-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: automationAccount.id - privateEndpointVnetLocation: !empty(privateEndpoints) ? reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location : 'dummy' - privateEndpointObj: endpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(automationAccount.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: automationAccount.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.Automation/automationAccounts/readme.md b/arm/Microsoft.Automation/automationAccounts/readme.md index 9fe087ec9c..49b775fa0c 100644 --- a/arm/Microsoft.Automation/automationAccounts/readme.md +++ b/arm/Microsoft.Automation/automationAccounts/readme.md @@ -374,7 +374,6 @@ userAssignedIdentities: { "keyVersion" : { "value" : "9917c14be51d4d93b37218de7d326f60" }, - "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} diff --git a/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep b/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep deleted file mode 100644 index 4e7cd75dcb..0000000000 --- a/arm/Microsoft.CognitiveServices/accounts/.bicep/nested_privateEndpoints.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpoint object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpoint, 'name') ? (empty(privateEndpoint.name) ? '${privateEndpointResourceName}-${privateEndpoint.service}' : privateEndpoint.name) : '${privateEndpointResourceName}-${privateEndpoint.service}') - subnetResourceId: privateEndpoint.subnetResourceId - service: [ - privateEndpoint.service - ] - privateDnsZoneResourceIds: (contains(privateEndpoint, 'privateDnsZoneResourceIds') ? privateEndpoint.privateDnsZoneResourceIds : []) - customDnsConfigs: (contains(privateEndpoint, 'customDnsConfigs') ? (empty(privateEndpoint.customDnsConfigs) ? null : privateEndpoint.customDnsConfigs) : null) -} - -resource privateEndpoint_resource 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint_resource.name}/default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } -} diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json new file mode 100644 index 0000000000..489b409bac --- /dev/null +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-cgs-speech-001" + }, + "kind": { + "value": "SpeechServices" + }, + "sku": { + "value": "F0" + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + } + }, + "customSubDomainName": { + "value": "<>domain" + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "account" + } + ] + } + } +} diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index 4c7c81208e..abe3a86d52 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -73,7 +73,7 @@ param diagnosticEventHubName string = '' @description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set.') param customSubDomainName string = '' -@description('Optional. Subdomain name used for token-based authentication. Must be set if \'networkAcls\' are set.') +@description('Optional. Whether or not public endpoint access is allowed for this account.') @allowed([ 'Enabled' 'Disabled' @@ -244,13 +244,23 @@ resource cognitiveServices_diagnosticSettingName 'Microsoft.Insights/diagnostics scope: cognitiveServices } -module cognitiveServices_privateEndpoints '.bicep/nested_privateEndpoints.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module cognitiveServices_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-CognitiveServices-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: cognitiveServices.id - privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) - privateEndpoint: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(cognitiveServices.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: cognitiveServices.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 9a481c9c51..e2ec279c51 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -19,7 +19,7 @@ This module deploys different kinds of cognitive services resources | `Microsoft.CognitiveServices/accounts` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.CognitiveServices/2021-10-01/accounts) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -55,7 +55,7 @@ This module deploys different kinds of cognitive services resources | `migrationToken` | string | `''` | | Resource migration token. | | `networkAcls` | object | `{object}` | | Service endpoint object information. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | -| `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | Subdomain name used for token-based authentication. Must be set if 'networkAcls' are set. | +| `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | Whether or not public endpoint access is allowed for this account. | | `restore` | bool | `False` | | Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. | | `restrictOutboundNetworkAccess` | bool | `True` | | Restrict outbound network access. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -445,3 +445,77 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = {

+ +

Example 2

+ +
+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-cgs-speech-001" + }, + "kind": { + "value": "SpeechServices" + }, + "sku": { + "value": "F0" + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + } + }, + "customSubDomainName": { + "value": "<>domain" + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "account" + } + ] + } + } +} + +``` + +
+ +
+ +via Bicep module + +```bicep +module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-accounts' + params: { + name: '<>-az-cgs-speech-001' + kind: 'SpeechServices' + sku: 'F0' + systemAssignedIdentity: true + userAssignedIdentities: { + '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} + } + customSubDomainName: '<>domain' + privateEndpoints: [ + { + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + service: 'account' + } + ] + } +``` + +
+

diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_backup.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_backup.bicep deleted file mode 100644 index 7e6865bc6b..0000000000 --- a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_backup.bicep +++ /dev/null @@ -1,27 +0,0 @@ -param backupResourceName string - -@allowed([ - 'AzureFileShareProtectedItem' - 'AzureVmWorkloadSAPAseDatabase' - 'AzureVmWorkloadSAPHanaDatabase' - 'AzureVmWorkloadSQLDatabase' - 'DPMProtectedItem' - 'GenericProtectedItem' - 'MabFileFolderProtectedItem' - 'Microsoft.ClassicCompute/virtualMachines' - 'Microsoft.Compute/virtualMachines' - 'Microsoft.Sql/servers/databases' -]) -param protectedItemType string -param backupPolicyId string -param sourceResourceId string - -resource backup 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems@2021-06-01' = { - name: backupResourceName - location: resourceGroup().location - properties: { - protectedItemType: protectedItemType - policyId: backupPolicyId - sourceResourceId: sourceResourceId - } -} diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface.bicep index e7b50c9edd..a7ae6cfb29 100644 --- a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface.bicep +++ b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface.bicep @@ -5,8 +5,11 @@ param tags object param enableIPForwarding bool = false param enableAcceleratedNetworking bool = false param dnsServers array = [] -param networkSecurityGroupId string = '' -param ipConfigurationArray array + +@description('Optional. The network security group (NSG) to attach to the network interface.') +param networkSecurityGroupResourceId string = '' + +param ipConfigurations array param lock string param diagnosticStorageAccountId string param diagnosticLogsRetentionInDays int @@ -16,7 +19,12 @@ param diagnosticEventHubName string param pipdiagnosticMetricsToEnable array param pipdiagnosticLogCategoriesToEnable array param nicDiagnosticMetricsToEnable array -param roleAssignments array + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments array = [] + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true @description('Optional. The name of the PIP diagnostic setting, if deployed.') param pipDiagnosticSettingsName string = '${virtualMachineName}-diagnosticSettings' @@ -24,100 +32,70 @@ param pipDiagnosticSettingsName string = '${virtualMachineName}-diagnosticSettin @description('Optional. The name of the NIC diagnostic setting, if deployed.') param nicDiagnosticSettingsName string = '${virtualMachineName}-diagnosticSettings' -var nicDiagnosticsMetrics = [for metric in nicDiagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } -}] - -module networkInterface_publicIPConfigurations 'nested_networkInterface_publicIPAddress.bicep' = [for (ipConfiguration, index) in ipConfigurationArray: if (contains(ipConfiguration, 'pipconfiguration')) { - name: '${deployment().name}-PIP-${index}' +module networkInterface_publicIPAddresses '../../../Microsoft.Network/publicIPAddresses/deploy.bicep' = [for (ipConfiguration, index) in ipConfigurations: if (contains(ipConfiguration, 'pipconfiguration')) { + name: '${deployment().name}-publicIP-${index}' params: { - publicIPAddressName: '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}' - publicIPPrefixId: (contains(ipConfiguration.pipconfiguration, 'publicIPPrefixId') ? (!(empty(ipConfiguration.pipconfiguration.publicIPPrefixId)) ? ipConfiguration.pipconfiguration.publicIPPrefixId : '') : '') - publicIPAllocationMethod: (contains(ipConfiguration.pipconfiguration, 'publicIPAllocationMethod') ? (!(empty(ipConfiguration.pipconfiguration.publicIPAllocationMethod)) ? ipConfiguration.pipconfiguration.publicIPAllocationMethod : 'Static') : 'Static') - skuName: (contains(ipConfiguration.pipconfiguration, 'skuName') ? (!(empty(ipConfiguration.pipconfiguration.skuName)) ? ipConfiguration.pipconfiguration.skuName : 'Standard') : 'Standard') - skuTier: (contains(ipConfiguration.pipconfiguration, 'skuTier') ? (!(empty(ipConfiguration.pipconfiguration.skuTier)) ? ipConfiguration.pipconfiguration.skuTier : 'Regional') : 'Regional') - location: location - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays - diagnosticWorkspaceId: diagnosticWorkspaceId + name: '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}' diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId diagnosticEventHubName: diagnosticEventHubName - diagnosticSettingsName: pipDiagnosticSettingsName - diagnosticMetricsToEnable: pipdiagnosticMetricsToEnable diagnosticLogCategoriesToEnable: pipdiagnosticLogCategoriesToEnable + diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays + diagnosticMetricsToEnable: pipdiagnosticMetricsToEnable + diagnosticSettingsName: pipDiagnosticSettingsName + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticWorkspaceId: diagnosticWorkspaceId + enableDefaultTelemetry: enableDefaultTelemetry + location: location lock: lock - roleAssignments: contains(ipConfiguration.pipconfiguration, 'roleAssignments') ? (!empty(ipConfiguration.pipconfiguration.roleAssignments) ? ipConfiguration.pipconfiguration.roleAssignments : []) : [] + publicIPAddressVersion: contains(ipConfiguration, 'publicIPAddressVersion') ? ipConfiguration.publicIPAddressVersion : 'IPv4' + publicIPAllocationMethod: contains(ipConfiguration, 'publicIPAllocationMethod') ? ipConfiguration.publicIPAllocationMethod : 'Static' + publicIPPrefixResourceId: contains(ipConfiguration, 'publicIPPrefixResourceId') ? ipConfiguration.publicIPPrefixResourceId : '' + roleAssignments: contains(ipConfiguration, 'roleAssignments') ? ipConfiguration.roleAssignments : [] + skuName: contains(ipConfiguration, 'skuName') ? ipConfiguration.skuName : 'Standard' + skuTier: contains(ipConfiguration, 'skuTier') ? ipConfiguration.skuTier : 'Regional' tags: tags + zones: contains(ipConfiguration, 'zones') ? ipConfiguration.zones : [] } }] -resource networkInterface 'Microsoft.Network/networkInterfaces@2021-05-01' = { - name: networkInterfaceName - location: location - tags: tags - properties: { - enableIPForwarding: enableIPForwarding - enableAcceleratedNetworking: enableAcceleratedNetworking - dnsSettings: !empty(dnsServers) ? { - dnsServers: dnsServers - } : null - networkSecurityGroup: !empty(networkSecurityGroupId) ? { - id: networkSecurityGroupId - } : null - ipConfigurations: [for (ipConfiguration, index) in ipConfigurationArray: { +module networkInterface '../../../Microsoft.Network/networkInterfaces/deploy.bicep' = { + name: '${deployment().name}-NetworkInterface' + params: { + name: networkInterfaceName + ipConfigurations: [for (ipConfiguration, index) in ipConfigurations: { name: !empty(ipConfiguration.name) ? ipConfiguration.name : null - properties: { - primary: ((index == 0) ? true : false) - privateIPAllocationMethod: contains(ipConfiguration, 'privateIPAllocationMethod') ? (!empty(ipConfiguration.privateIPAllocationMethod) ? ipConfiguration.privateIPAllocationMethod : null) : null - privateIPAddress: contains(ipConfiguration, 'vmIPAddress') ? (!empty(ipConfiguration.vmIPAddress) ? ipConfiguration.vmIPAddress : null) : null - publicIPAddress: contains(ipConfiguration, 'pipconfiguration') ? json('{"id":"${resourceId('Microsoft.Network/publicIPAddresses', '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}')}"}') : null - subnet: { - id: ipConfiguration.subnetId - } - loadBalancerBackendAddressPools: contains(ipConfiguration, 'loadBalancerBackendAddressPools') ? ipConfiguration.loadBalancerBackendAddressPools : null - applicationSecurityGroups: contains(ipConfiguration, 'applicationSecurityGroups') ? ipConfiguration.applicationSecurityGroups : null - } + primary: index == 0 + privateIPAllocationMethod: contains(ipConfiguration, 'privateIPAllocationMethod') ? (!empty(ipConfiguration.privateIPAllocationMethod) ? ipConfiguration.privateIPAllocationMethod : null) : null + privateIPAddress: contains(ipConfiguration, 'vmIPAddress') ? (!empty(ipConfiguration.vmIPAddress) ? ipConfiguration.vmIPAddress : null) : null + publicIPAddressResourceId: contains(ipConfiguration, 'pipconfiguration') ? resourceId('Microsoft.Network/publicIPAddresses', '${virtualMachineName}${ipConfiguration.pipconfiguration.publicIpNameSuffix}') : null + subnetId: ipConfiguration.subnetId + + loadBalancerBackendAddressPools: contains(ipConfiguration, 'loadBalancerBackendAddressPools') ? ipConfiguration.loadBalancerBackendAddressPools : null + applicationSecurityGroups: contains(ipConfiguration, 'applicationSecurityGroups') ? ipConfiguration.applicationSecurityGroups : null + applicationGatewayBackendAddressPools: contains(ipConfiguration, 'applicationGatewayBackendAddressPools') ? ipConfiguration.applicationGatewayBackendAddressPools : null + gatewayLoadBalancer: contains(ipConfiguration, 'gatewayLoadBalancer') ? ipConfiguration.gatewayLoadBalancer : null + loadBalancerInboundNatRules: contains(ipConfiguration, 'loadBalancerInboundNatRules') ? ipConfiguration.loadBalancerInboundNatRules : null + privateIPAddressVersion: contains(ipConfiguration, 'privateIPAddressVersion') ? ipConfiguration.privateIPAddressVersion : null + virtualNetworkTaps: contains(ipConfiguration, 'virtualNetworkTaps') ? ipConfiguration.virtualNetworkTaps : null }] + location: location + tags: tags + diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId + diagnosticEventHubName: diagnosticEventHubName + diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticMetricsToEnable: nicDiagnosticMetricsToEnable + diagnosticSettingsName: nicDiagnosticSettingsName + diagnosticWorkspaceId: diagnosticWorkspaceId + dnsServers: !empty(dnsServers) ? dnsServers : [] + enableAcceleratedNetworking: enableAcceleratedNetworking + enableDefaultTelemetry: enableDefaultTelemetry + enableIPForwarding: enableIPForwarding + lock: lock + networkSecurityGroupResourceId: !empty(networkSecurityGroupResourceId) ? networkSecurityGroupResourceId : '' + roleAssignments: !empty(roleAssignments) ? roleAssignments : [] } dependsOn: [ - networkInterface_publicIPConfigurations + networkInterface_publicIPAddresses ] } - -resource networkInterface_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${networkInterface.name}-${lock}-lock' - properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: networkInterface -} - -resource networkInterface_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: nicDiagnosticSettingsName - properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: nicDiagnosticsMetrics - } - scope: networkInterface -} - -module networkInterface_rbac 'nested_networkInterface_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: networkInterface.id - } -}] diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress.bicep deleted file mode 100644 index d8e3494d4a..0000000000 --- a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress.bicep +++ /dev/null @@ -1,96 +0,0 @@ -param publicIPAddressName string -param publicIPPrefixId string -param publicIPAllocationMethod string -param skuName string -param skuTier string -param location string -param diagnosticStorageAccountId string -param diagnosticLogsRetentionInDays int -param diagnosticWorkspaceId string -param diagnosticEventHubAuthorizationRuleId string -param diagnosticEventHubName string -param diagnosticMetricsToEnable array -param diagnosticLogCategoriesToEnable array -param lock string -param roleAssignments array -param tags object - -@description('Optional. The name of the diagnostic setting, if deployed.') -param diagnosticSettingsName string = '${publicIPAddressName}-diagnosticSettings' - -var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { - category: category - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } -}] - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } -}] - -resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' = { - name: publicIPAddressName - location: location - tags: tags - sku: { - name: skuName - tier: skuTier - } - properties: { - publicIPAllocationMethod: publicIPAllocationMethod - publicIPPrefix: !empty(publicIPPrefixId) ? { - id: publicIPPrefixId - } : null - } -} - -resource publicIpAddress_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${publicIpAddress.name}-${lock}-lock' - properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: publicIpAddress -} - -resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { - name: diagnosticSettingsName - properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs - } - scope: publicIpAddress -} - -module publicIpAddress_rbac 'nested_networkInterface_publicIPAddress_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-Rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: publicIpAddress.id - } -}] - -@description('The name of the resource group the public IP address was deployed.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the public IP address.') -output name string = publicIpAddress.name - -@description('The resource ID of the public IP address.') -output resourceId string = publicIpAddress.id diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress_rbac.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress_rbac.bicep deleted file mode 100644 index 8c3558ae55..0000000000 --- a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_publicIPAddress_rbac.bicep +++ /dev/null @@ -1,61 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft OneAsset Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd1bb084-1503-4bd2-99c0-630220046786') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') -} - -resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' existing = { - name: last(split(resourceId, '/')) -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: { - name: guid(publicIpAddress.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - } - scope: publicIpAddress -}] diff --git a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_rbac.bicep b/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_rbac.bicep deleted file mode 100644 index 88501e9412..0000000000 --- a/arm/Microsoft.Compute/virtualMachines/.bicep/nested_networkInterface_rbac.bicep +++ /dev/null @@ -1,61 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft OneAsset Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd1bb084-1503-4bd2-99c0-630220046786') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') -} - -resource networkInterface 'Microsoft.Network/networkInterfaces@2021-03-01' existing = { - name: last(split(resourceId, '/')) -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: { - name: guid(networkInterface.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - } - scope: networkInterface -}] diff --git a/arm/Microsoft.Compute/virtualMachines/deploy.bicep b/arm/Microsoft.Compute/virtualMachines/deploy.bicep index 611284e88e..4f5851acb2 100644 --- a/arm/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachines/deploy.bicep @@ -353,14 +353,15 @@ module virtualMachine_nic '.bicep/nested_networkInterface.bicep' = [for (nicConf name: '${uniqueString(deployment().name, location)}-VM-Nic-${index}' params: { networkInterfaceName: '${name}${nicConfiguration.nicSuffix}' + enableDefaultTelemetry: enableDefaultTelemetry virtualMachineName: name location: location tags: tags enableIPForwarding: contains(nicConfiguration, 'enableIPForwarding') ? (!empty(nicConfiguration.enableIPForwarding) ? nicConfiguration.enableIPForwarding : false) : false enableAcceleratedNetworking: contains(nicConfiguration, 'enableAcceleratedNetworking') ? nicConfiguration.enableAcceleratedNetworking : true dnsServers: contains(nicConfiguration, 'dnsServers') ? (!empty(nicConfiguration.dnsServers) ? nicConfiguration.dnsServers : []) : [] - networkSecurityGroupId: contains(nicConfiguration, 'networkSecurityGroupId') ? (!empty(nicConfiguration.networkSecurityGroupId) ? nicConfiguration.networkSecurityGroupId : '') : '' - ipConfigurationArray: nicConfiguration.ipConfigurations + networkSecurityGroupResourceId: contains(nicConfiguration, 'networkSecurityGroupResourceId') ? nicConfiguration.networkSecurityGroupResourceId : '' + ipConfigurations: nicConfiguration.ipConfigurations lock: lock diagnosticStorageAccountId: diagnosticStorageAccountId diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays @@ -615,12 +616,14 @@ module vm_diskEncryptionExtension 'extensions/deploy.bicep' = if (extensionDiskE ] } -module virtualMachine_backup '.bicep/nested_backup.bicep' = if (!empty(backupVaultName)) { +module virtualMachine_backup '../../Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/deploy.bicep' = if (!empty(backupVaultName)) { name: '${uniqueString(deployment().name, location)}-VM-Backup' params: { - backupResourceName: '${backupVaultName}/Azure/iaasvmcontainer;iaasvmcontainerv2;${resourceGroup().name};${virtualMachine.name}/vm;iaasvmcontainerv2;${resourceGroup().name};${virtualMachine.name}' + name: 'vm;iaasvmcontainerv2;${resourceGroup().name};${virtualMachine.name}' + policyId: az.resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', backupVaultName, backupPolicyName) protectedItemType: 'Microsoft.Compute/virtualMachines' - backupPolicyId: az.resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', backupVaultName, backupPolicyName) + protectionContainerName: 'iaasvmcontainer;iaasvmcontainerv2;${resourceGroup().name};${virtualMachine.name}' + recoveryVaultName: backupVaultName sourceResourceId: virtualMachine.id } scope: az.resourceGroup(backupVaultResourceGroup) diff --git a/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_privateEndpoints.bicep b/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_privateEndpoints.bicep deleted file mode 100644 index 9deaf8c02f..0000000000 --- a/arm/Microsoft.ContainerRegistry/registries/.bicep/nested_privateEndpoints.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? privateEndpointObj.privateDnsZoneResourceIds : []) - customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateEndpoint_privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint.name}/default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } -} diff --git a/arm/Microsoft.ContainerRegistry/registries/deploy.bicep b/arm/Microsoft.ContainerRegistry/registries/deploy.bicep index 8813fa3c8c..f3da157b87 100644 --- a/arm/Microsoft.ContainerRegistry/registries/deploy.bicep +++ b/arm/Microsoft.ContainerRegistry/registries/deploy.bicep @@ -282,13 +282,23 @@ module registry_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) i } }] -module registry_privateEndpoints '.bicep/nested_privateEndpoints.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module registry_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-ContainerRegistry-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: registry.id - privateEndpointVnetLocation: empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - privateEndpointObj: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(registry.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: registry.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.ContainerRegistry/registries/readme.md b/arm/Microsoft.ContainerRegistry/registries/readme.md index 185d02a5f8..15c8d6fefa 100644 --- a/arm/Microsoft.ContainerRegistry/registries/readme.md +++ b/arm/Microsoft.ContainerRegistry/registries/readme.md @@ -19,7 +19,7 @@ Azure Container Registry is a managed, private Docker registry service based on | `Microsoft.ContainerRegistry/registries/replications` | [2021-12-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ContainerRegistry/2021-12-01-preview/registries/replications) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters diff --git a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 82ab478cd6..0000000000 --- a/arm/Microsoft.EventGrid/systemTopics/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,52 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) - customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint_var.name}/default' - properties: { - privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { - name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) - properties: { - privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] - } - }] - } - dependsOn: [ - privateEndpoint - ] -} diff --git a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep index 11edd194de..61585c61eb 100644 --- a/arm/Microsoft.EventGrid/systemTopics/deploy.bicep +++ b/arm/Microsoft.EventGrid/systemTopics/deploy.bicep @@ -27,9 +27,6 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@description('Optional. Configuration Details for private endpoints.') -param privateEndpoints array = [] - @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -143,16 +140,6 @@ resource systemTopic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2 scope: systemTopic } -module systemTopic_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { - name: '${uniqueString(deployment().name, location)}-EventGrid-PrivateEndpoint-${index}' - params: { - privateEndpointResourceId: systemTopic.id - privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) - privateEndpointObj: privateEndpoint - tags: tags - } -}] - module systemTopic_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-EventGrid-Rbac-${index}' params: { diff --git a/arm/Microsoft.EventGrid/systemTopics/readme.md b/arm/Microsoft.EventGrid/systemTopics/readme.md index d6736c286d..6f84ee1544 100644 --- a/arm/Microsoft.EventGrid/systemTopics/readme.md +++ b/arm/Microsoft.EventGrid/systemTopics/readme.md @@ -17,8 +17,6 @@ This module deploys an Event Grid System Topic. | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.EventGrid/systemTopics` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2021-12-01/systemTopics) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -43,7 +41,6 @@ This module deploys an Event Grid System Topic. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | -| `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | diff --git a/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 82ab478cd6..0000000000 --- a/arm/Microsoft.EventGrid/topics/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,52 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) - customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint_var.name}/default' - properties: { - privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { - name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) - properties: { - privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] - } - }] - } - dependsOn: [ - privateEndpoint - ] -} diff --git a/arm/Microsoft.EventGrid/topics/deploy.bicep b/arm/Microsoft.EventGrid/topics/deploy.bicep index cdb809bb81..67ebee0e73 100644 --- a/arm/Microsoft.EventGrid/topics/deploy.bicep +++ b/arm/Microsoft.EventGrid/topics/deploy.bicep @@ -99,7 +99,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource eventGrid 'Microsoft.EventGrid/topics@2020-06-01' = { +resource topic 'Microsoft.EventGrid/topics@2020-06-01' = { name: name location: location tags: tags @@ -109,16 +109,16 @@ resource eventGrid 'Microsoft.EventGrid/topics@2020-06-01' = { } } -resource eventGrid_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${eventGrid.name}-${lock}-lock' +resource topic_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${topic.name}-${lock}-lock' properties: { level: lock notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' } - scope: eventGrid + scope: topic } -resource eventGrid_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { +resource topic_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) { name: diagnosticSettingsName properties: { storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null @@ -128,38 +128,48 @@ resource eventGrid_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 metrics: diagnosticsMetrics logs: diagnosticsLogs } - scope: eventGrid + scope: topic } -module eventGrid_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { - name: '${uniqueString(deployment().name, location)}-EventGrid-PrivateEndpoint-${index}' +module topic_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-Topic-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: eventGrid.id - privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) - privateEndpointObj: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(topic.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: topic.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] -module eventGrid_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-EventGrid-Rbac-${index}' +module topic_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name, location)}-topic-Rbac-${index}' params: { description: contains(roleAssignment, 'description') ? roleAssignment.description : '' principalIds: roleAssignment.principalIds principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: eventGrid.id + resourceId: topic.id } }] @description('The name of the event grid topic.') -output name string = eventGrid.name +output name string = topic.name @description('The resource ID of the event grid.') -output resourceId string = eventGrid.id +output resourceId string = topic.id @description('The name of the resource group the event grid was deployed into.') output resourceGroupName string = resourceGroup().name @description('The location the resource was deployed into.') -output location string = eventGrid.location +output location string = topic.location diff --git a/arm/Microsoft.EventGrid/topics/readme.md b/arm/Microsoft.EventGrid/topics/readme.md index 1ed608bee1..0b801ec338 100644 --- a/arm/Microsoft.EventGrid/topics/readme.md +++ b/arm/Microsoft.EventGrid/topics/readme.md @@ -18,7 +18,7 @@ This module deploys an event grid topic. | `Microsoft.EventGrid/topics` | [2020-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.EventGrid/2020-06-01/topics) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters diff --git a/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index ac35d182f8..0000000000 --- a/arm/Microsoft.EventHub/namespaces/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,52 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) - customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (!empty(privateEndpointObj.customDnsConfigs) ? privateEndpointObj.customDnsConfigs : null) : null -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint_var.name}/default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } - dependsOn: [ - privateEndpoint - ] -} diff --git a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json index 33cf7d93bf..bba54b6fac 100644 --- a/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.EventHub/namespaces/.parameters/parameters.json @@ -87,6 +87,14 @@ } ] }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "namespace" + } + ] + }, "diagnosticLogsRetentionInDays": { "value": 7 }, diff --git a/arm/Microsoft.EventHub/namespaces/deploy.bicep b/arm/Microsoft.EventHub/namespaces/deploy.bicep index e8f9737cc0..b73b846109 100644 --- a/arm/Microsoft.EventHub/namespaces/deploy.bicep +++ b/arm/Microsoft.EventHub/namespaces/deploy.bicep @@ -277,13 +277,23 @@ module eventHubNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!em } } -module eventHubNamespace_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: { +module eventHubNamespace_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-EvhbNamespace-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: eventHubNamespace.id - privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) - privateEndpointObj: endpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(eventHubNamespace.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: eventHubNamespace.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.EventHub/namespaces/readme.md b/arm/Microsoft.EventHub/namespaces/readme.md index 0c74bd249c..be4e504c71 100644 --- a/arm/Microsoft.EventHub/namespaces/readme.md +++ b/arm/Microsoft.EventHub/namespaces/readme.md @@ -306,7 +306,6 @@ userAssignedIdentities: { module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { - } ``` @@ -409,6 +408,14 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { } ] }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "namespace" + } + ] + }, "diagnosticLogsRetentionInDays": { "value": 7 }, @@ -544,6 +551,12 @@ module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { ] } ] + privateEndpoints: [ + { + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + service: 'namespace' + } + ] diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diff --git a/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 5672ec5ea7..0000000000 --- a/arm/Microsoft.Insights/privateLinkScopes/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? ((empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds)) : []) - customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } - - resource privateDnsZoneGroups 'privateDnsZoneGroups@2021-05-01' = { - name: 'default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } - } -} diff --git a/arm/Microsoft.Insights/privateLinkScopes/.parameters/parameters.json b/arm/Microsoft.Insights/privateLinkScopes/.parameters/parameters.json index 26b7103029..ef2f7dcf7a 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/.parameters/parameters.json +++ b/arm/Microsoft.Insights/privateLinkScopes/.parameters/parameters.json @@ -22,6 +22,14 @@ ] } ] + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "azuremonitor" + } + ] } } } diff --git a/arm/Microsoft.Insights/privateLinkScopes/deploy.bicep b/arm/Microsoft.Insights/privateLinkScopes/deploy.bicep index ca2e65c199..256e05565d 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/deploy.bicep +++ b/arm/Microsoft.Insights/privateLinkScopes/deploy.bicep @@ -68,13 +68,23 @@ resource privateLinkScope_lock 'Microsoft.Authorization/locks@2017-04-01' = if ( } } -module privateLinkScope_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: { +module privateLinkScope_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-PvtLinkScope-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: privateLinkScope.id - privateEndpointVnetLocation: reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - privateEndpointObj: endpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(privateLinkScope.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: privateLinkScope.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.Insights/privateLinkScopes/readme.md b/arm/Microsoft.Insights/privateLinkScopes/readme.md index 3ed13fa91a..e127d33d45 100644 --- a/arm/Microsoft.Insights/privateLinkScopes/readme.md +++ b/arm/Microsoft.Insights/privateLinkScopes/readme.md @@ -258,6 +258,14 @@ tags: { ] } ] + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "azuremonitor" + } + ] } } } @@ -289,6 +297,12 @@ module privateLinkScopes './Microsoft.Insights/privateLinkScopes/deploy.bicep' = ] } ] + privateEndpoints: [ + { + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + service: 'azuremonitor' + } + ] } ``` diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 0e3f625a39..0000000000 --- a/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) - customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint.name}/default' - properties: { - privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { - name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) - properties: { - privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] - } - }] - } -} diff --git a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json index bf3331329e..804986a4ad 100644 --- a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-kv-x-001" + "value": "<>-az-kv-x-002" }, "softDeleteRetentionInDays": { "value": 7 diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep index f556ce9891..65a88b5af8 100644 --- a/arm/Microsoft.KeyVault/vaults/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -281,13 +281,23 @@ module keyVault_keys 'keys/deploy.bicep' = [for (key, index) in keys: { } }] -module keyVault_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { +module keyVault_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { name: '${uniqueString(deployment().name, location)}-KeyVault-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: keyVault.id - privateEndpointVnetLocation: empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - privateEndpointObj: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(keyVault.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: keyVault.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index 159f859edd..43b4f23147 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -21,7 +21,7 @@ This module deploys a key vault and its child resources. | `Microsoft.KeyVault/vaults/keys` | [2019-09-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/keys) | | `Microsoft.KeyVault/vaults/secrets` | [2019-09-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/secrets) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters @@ -405,7 +405,6 @@ privateEndpoints: [ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { name: '${uniqueString(deployment().name)}-vaults' params: { - } ``` @@ -424,7 +423,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-kv-x-001" + "value": "<>-az-kv-x-002" }, "softDeleteRetentionInDays": { "value": 7 @@ -562,7 +561,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { name: '${uniqueString(deployment().name)}-vaults' params: { - name: '<>-az-kv-x-001' + name: '<>-az-kv-x-002' softDeleteRetentionInDays: 7 enableRbacAuthorization: false privateEndpoints: [ diff --git a/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 82ab478cd6..0000000000 --- a/arm/Microsoft.MachineLearningServices/workspaces/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,52 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : []) - customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-02-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint_var.name}/default' - properties: { - privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { - name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) - properties: { - privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] - } - }] - } - dependsOn: [ - privateEndpoint - ] -} diff --git a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep index b627b8f31b..0fe12a8f55 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep +++ b/arm/Microsoft.MachineLearningServices/workspaces/deploy.bicep @@ -255,13 +255,23 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@202 scope: workspace } -module workspace_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-MLWorkspace-PrivateEndpoints-${index}' +module workspace_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-Workspace-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: workspace.id - privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) - privateEndpointObj: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(workspace.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: workspace.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.MachineLearningServices/workspaces/readme.md b/arm/Microsoft.MachineLearningServices/workspaces/readme.md index 1aedc9c456..614dd1a6a0 100644 --- a/arm/Microsoft.MachineLearningServices/workspaces/readme.md +++ b/arm/Microsoft.MachineLearningServices/workspaces/readme.md @@ -19,7 +19,7 @@ This module deploys a Machine Learning Services Workspace. | `Microsoft.MachineLearningServices/workspaces` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2021-07-01/workspaces) | | `Microsoft.MachineLearningServices/workspaces/computes` | [2022-01-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.MachineLearningServices/2022-01-01-preview/workspaces/computes) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | ## Parameters diff --git a/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress.bicep b/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress.bicep deleted file mode 100644 index 9d6ee4e273..0000000000 --- a/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress.bicep +++ /dev/null @@ -1,153 +0,0 @@ -@description('Required. The name of the Public IP Address') -param name string - -@description('Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') -param publicIPPrefixResourceId string = '' - -@description('Optional. The public IP address allocation method. - Static or Dynamic.') -param publicIPAllocationMethod string = 'Dynamic' - -@description('Optional. Public IP Address sku Name') -param skuName string = 'Basic' - -@description('Optional. Public IP Address pricing tier') -param skuTier string = 'Regional' - -@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') -@minValue(0) -@maxValue(365) -param diagnosticLogsRetentionInDays int = 365 - -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource identifier of log analytics.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@allowed([ - 'CanNotDelete' - 'NotSpecified' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = 'NotSpecified' - -@description('Optional. Location for all resources.') -param location string = resourceGroup().location - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments array = [] - -@description('Optional. Tags of the resource.') -param tags object = {} - -@description('Optional. The name of logs that will be streamed.') -@allowed([ - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' -]) -param diagnosticLogCategoriesToEnable array = [ - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param diagnosticMetricsToEnable array = [ - 'AllMetrics' -] - -@description('Optional. The name of the diagnostic setting, if deployed.') -param diagnosticSettingsName string = '${name}-diagnosticSettings' - -var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { - category: category - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } -}] - -var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: { - category: metric - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } -}] - -var publicIPPrefix = { - id: publicIPPrefixResourceId -} - -resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' = { - name: name - location: location - tags: tags - sku: { - name: skuName - tier: skuTier - } - properties: { - publicIPAddressVersion: 'IPv4' - publicIPAllocationMethod: publicIPAllocationMethod - publicIPPrefix: !empty(publicIPPrefixResourceId) ? publicIPPrefix : null - idleTimeoutInMinutes: 4 - ipTags: [] - } -} - -resource publicIpAddress_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${publicIpAddress.name}-${lock}-lock' - properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: publicIpAddress -} - -resource publicIpAddress_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: diagnosticSettingsName - properties: { - storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null - workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null - eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null - eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null - metrics: diagnosticsMetrics - logs: diagnosticsLogs - } - scope: publicIpAddress -} - -module publicIpAddress_rbac 'nested_publicIPAddress_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${deployment().name}-rbac-${index}' - params: { - description: contains(roleAssignment, 'description') ? roleAssignment.description : '' - principalIds: roleAssignment.principalIds - principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: publicIpAddress.id - } -}] - -@description('The resource group the public IP address was deployed into') -output resourceGroupName string = resourceGroup().name - -@description('The name of the public IP address') -output name string = publicIpAddress.name - -@description('The resource ID of the public IP address') -output resourceId string = publicIpAddress.id diff --git a/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress_rbac.bicep b/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress_rbac.bicep deleted file mode 100644 index 8c3558ae55..0000000000 --- a/arm/Microsoft.Network/bastionHosts/.bicep/nested_publicIPAddress_rbac.bicep +++ /dev/null @@ -1,61 +0,0 @@ -@sys.description('Required. The IDs of the principals to assign the role to.') -param principalIds array - -@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') -param roleDefinitionIdOrName string - -@sys.description('Required. The resource ID of the resource to apply the role assignment to.') -param resourceId string - -@sys.description('Optional. The principal type of the assigned principal ID.') -@allowed([ - 'ServicePrincipal' - 'Group' - 'User' - 'ForeignGroup' - 'Device' - '' -]) -param principalType string = '' - -@sys.description('Optional. The description of the role assignment.') -param description string = '' - -var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Microsoft OneAsset Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fd1bb084-1503-4bd2-99c0-630220046786') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52') -} - -resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-05-01' existing = { - name: last(split(resourceId, '/')) -} - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: { - name: guid(publicIpAddress.id, principalId, roleDefinitionIdOrName) - properties: { - description: description - roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName - principalId: principalId - principalType: !empty(principalType) ? any(principalType) : null - } - scope: publicIpAddress -}] diff --git a/arm/Microsoft.Network/bastionHosts/.parameters/parameters.json b/arm/Microsoft.Network/bastionHosts/.parameters/parameters.json index 0b1cd0d25b..144dfd3e00 100644 --- a/arm/Microsoft.Network/bastionHosts/.parameters/parameters.json +++ b/arm/Microsoft.Network/bastionHosts/.parameters/parameters.json @@ -8,7 +8,7 @@ "vNetId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001" }, - "publicIPAddressId": { + "publicIPAddressResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-bas" }, "skuType": { diff --git a/arm/Microsoft.Network/bastionHosts/deploy.bicep b/arm/Microsoft.Network/bastionHosts/deploy.bicep index e8593a831e..542b69ba1b 100644 --- a/arm/Microsoft.Network/bastionHosts/deploy.bicep +++ b/arm/Microsoft.Network/bastionHosts/deploy.bicep @@ -8,9 +8,9 @@ param location string = resourceGroup().location param vNetId string @description('Optional. Specifies the resource ID of the existing public IP to be leveraged by Azure Bastion.') -param publicIPAddressId string = '' +param publicIPAddressResourceId string = '' -@description('Optional. Specifies the properties of the public IP to create and be used by Azure Bastion. If it\'s not provided and publicIPAddressId is empty, a \'-pip\' suffix will be appended to the Bastion\'s name.') +@description('Optional. Specifies the properties of the public IP to create and be used by Azure Bastion. If it\'s not provided and publicIPAddressResourceId is empty, a \'-pip\' suffix will be appended to the Bastion\'s name.') param publicIPAddressObject object = {} @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @@ -91,42 +91,39 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource publicIPAddressExisting 'Microsoft.Network/publicIPAddresses@2021-05-01' existing = if (!empty(publicIPAddressId)) { - name: last(split(publicIPAddressId, '/')) - scope: resourceGroup(split(publicIPAddressId, '/')[2], split(publicIPAddressId, '/')[4]) +resource publicIPAddressExisting 'Microsoft.Network/publicIPAddresses@2021-05-01' existing = if (!empty(publicIPAddressResourceId)) { + name: last(split(publicIPAddressResourceId, '/')) + scope: resourceGroup(split(publicIPAddressResourceId, '/')[2], split(publicIPAddressResourceId, '/')[4]) } -module publicIPAddress '.bicep/nested_publicIPAddress.bicep' = if (empty(publicIPAddressId)) { +module publicIPAddress '../publicIPAddresses/deploy.bicep' = if (empty(publicIPAddressResourceId)) { name: '${uniqueString(deployment().name, location)}-Bastion-PIP' params: { - name: contains(publicIPAddressObject, 'name') ? (!(empty(publicIPAddressObject.name)) ? publicIPAddressObject.name : '${name}-pip') : '${name}-pip' - publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? (!(empty(publicIPAddressObject.publicIPPrefixResourceId)) ? publicIPAddressObject.publicIPPrefixResourceId : '') : '' - publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? (!(empty(publicIPAddressObject.publicIPAllocationMethod)) ? publicIPAddressObject.publicIPAllocationMethod : 'Static') : 'Static' - skuName: contains(publicIPAddressObject, 'skuName') ? (!(empty(publicIPAddressObject.skuName)) ? publicIPAddressObject.skuName : 'Standard') : 'Standard' - skuTier: contains(publicIPAddressObject, 'skuTier') ? (!(empty(publicIPAddressObject.skuTier)) ? publicIPAddressObject.skuTier : 'Regional') : 'Regional' - roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? (!empty(publicIPAddressObject.roleAssignments) ? publicIPAddressObject.roleAssignments : []) : [] - diagnosticMetricsToEnable: contains(publicIPAddressObject, 'diagnosticMetricsToEnable') ? (!(empty(publicIPAddressObject.diagnosticMetricsToEnable)) ? publicIPAddressObject.diagnosticMetricsToEnable : [ - 'AllMetrics' - ]) : [ - 'AllMetrics' - ] - diagnosticLogCategoriesToEnable: contains(publicIPAddressObject, 'diagnosticLogCategoriesToEnable') ? (!(empty(publicIPAddressObject.diagnosticLogCategoriesToEnable)) ? publicIPAddressObject.diagnosticLogCategoriesToEnable : [ - 'DDoSProtectionNotifications' - 'DDoSMitigationFlowLogs' - 'DDoSMitigationReports' - ]) : [ + name: contains(publicIPAddressObject, 'name') ? publicIPAddressObject.name : '${name}-pip' + diagnosticLogCategoriesToEnable: contains(publicIPAddressObject, 'diagnosticLogCategoriesToEnable') ? publicIPAddressObject.diagnosticLogCategoriesToEnable : [ 'DDoSProtectionNotifications' 'DDoSMitigationFlowLogs' 'DDoSMitigationReports' ] - location: location + diagnosticMetricsToEnable: contains(publicIPAddressObject, 'diagnosticMetricsToEnable') ? publicIPAddressObject.diagnosticMetricsToEnable : [ + 'AllMetrics' + ] diagnosticStorageAccountId: diagnosticStorageAccountId diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays diagnosticWorkspaceId: diagnosticWorkspaceId diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId diagnosticEventHubName: diagnosticEventHubName + enableDefaultTelemetry: enableDefaultTelemetry + location: location lock: lock + publicIPAddressVersion: contains(publicIPAddressObject, 'publicIPAddressVersion') ? publicIPAddressObject.publicIPAddressVersion : 'IPv4' + publicIPAllocationMethod: contains(publicIPAddressObject, 'publicIPAllocationMethod') ? publicIPAddressObject.publicIPAllocationMethod : 'Static' + publicIPPrefixResourceId: contains(publicIPAddressObject, 'publicIPPrefixResourceId') ? publicIPAddressObject.publicIPPrefixResourceId : '' + roleAssignments: contains(publicIPAddressObject, 'roleAssignments') ? publicIPAddressObject.roleAssignments : [] + skuName: contains(publicIPAddressObject, 'skuName') ? publicIPAddressObject.skuName : 'Standard' + skuTier: contains(publicIPAddressObject, 'skuTier') ? publicIPAddressObject.skuTier : 'Regional' tags: tags + zones: contains(publicIPAddressObject, 'zones') ? publicIPAddressObject.zones : [] } } @@ -147,7 +144,7 @@ resource azureBastion 'Microsoft.Network/bastionHosts@2021-05-01' = { id: '${vNetId}/subnets/AzureBastionSubnet' } publicIPAddress: { - id: !(empty(publicIPAddressId)) ? publicIPAddressId : publicIPAddress.outputs.resourceId + id: !empty(publicIPAddressResourceId) ? publicIPAddressResourceId : publicIPAddress.outputs.resourceId } } } diff --git a/arm/Microsoft.Network/bastionHosts/readme.md b/arm/Microsoft.Network/bastionHosts/readme.md index 54dad8d328..06da945085 100644 --- a/arm/Microsoft.Network/bastionHosts/readme.md +++ b/arm/Microsoft.Network/bastionHosts/readme.md @@ -40,8 +40,8 @@ This module deploys a bastion host. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | -| `publicIPAddressId` | string | `''` | | Specifies the resource ID of the existing public IP to be leveraged by Azure Bastion. | -| `publicIPAddressObject` | object | `{object}` | | Specifies the properties of the public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressId is empty, a '-pip' suffix will be appended to the Bastion's name. | +| `publicIPAddressObject` | object | `{object}` | | Specifies the properties of the public IP to create and be used by Azure Bastion. If it's not provided and publicIPAddressResourceId is empty, a '-pip' suffix will be appended to the Bastion's name. | +| `publicIPAddressResourceId` | string | `''` | | Specifies the resource ID of the existing public IP to be leveraged by Azure Bastion. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `scaleUnits` | int | `2` | | The scale units for the Bastion Host resource. | | `skuType` | string | `'Basic'` | `[Basic, Standard]` | The SKU of this Bastion Host. | @@ -216,7 +216,7 @@ module bastionHosts './Microsoft.Network/bastionHosts/deploy.bicep' = { "vNetId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001" }, - "publicIPAddressId": { + "publicIPAddressResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-bas" }, "skuType": { @@ -267,7 +267,7 @@ module bastionHosts './Microsoft.Network/bastionHosts/deploy.bicep' = { params: { name: '<>-az-bas-x-001' vNetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001' - publicIPAddressId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-bas' + publicIPAddressResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-bas' skuType: 'Standard' scaleUnits: 4 roleAssignments: [ diff --git a/arm/Microsoft.Network/networkInterfaces/deploy.bicep b/arm/Microsoft.Network/networkInterfaces/deploy.bicep index 611c37b801..c3c5666abc 100644 --- a/arm/Microsoft.Network/networkInterfaces/deploy.bicep +++ b/arm/Microsoft.Network/networkInterfaces/deploy.bicep @@ -105,9 +105,9 @@ resource networkInterface 'Microsoft.Network/networkInterfaces@2021-05-01' = { primary: index == 0 ? true : false privateIPAllocationMethod: contains(ipConfiguration, 'privateIPAllocationMethod') ? (!empty(ipConfiguration.privateIPAllocationMethod) ? ipConfiguration.privateIPAllocationMethod : null) : null privateIPAddress: contains(ipConfiguration, 'vmIPAddress') ? (!empty(ipConfiguration.vmIPAddress) ? ipConfiguration.vmIPAddress : null) : null - publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? { + publicIPAddress: contains(ipConfiguration, 'publicIPAddressResourceId') ? (ipConfiguration.publicIPAddressResourceId != null ? { id: ipConfiguration.publicIPAddressResourceId - } : null + } : null) : null subnet: { id: ipConfiguration.subnetId } diff --git a/arm/Microsoft.Network/privateEndpoints/.bicep/nested_pid.bicep b/arm/Microsoft.Network/privateEndpoints/.bicep/nested_pid.bicep deleted file mode 100644 index 8b13789179..0000000000 --- a/arm/Microsoft.Network/privateEndpoints/.bicep/nested_pid.bicep +++ /dev/null @@ -1 +0,0 @@ - diff --git a/arm/Microsoft.Network/privateEndpoints/.parameters/min.parameters.json b/arm/Microsoft.Network/privateEndpoints/.parameters/min.parameters.json index bfe13c34ed..aa3ea8eba2 100644 --- a/arm/Microsoft.Network/privateEndpoints/.parameters/min.parameters.json +++ b/arm/Microsoft.Network/privateEndpoints/.parameters/min.parameters.json @@ -5,13 +5,13 @@ "name": { "value": "<>-az-pe-kvlt-min-001" }, - "targetSubnetResourceId": { + "subnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" }, "serviceResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" }, - "groupId": { + "groupIds": { "value": [ "vault" ] diff --git a/arm/Microsoft.Network/privateEndpoints/.parameters/parameters.json b/arm/Microsoft.Network/privateEndpoints/.parameters/parameters.json index 5b5f6f17bb..eaa2b9a9a2 100644 --- a/arm/Microsoft.Network/privateEndpoints/.parameters/parameters.json +++ b/arm/Microsoft.Network/privateEndpoints/.parameters/parameters.json @@ -5,13 +5,13 @@ "name": { "value": "<>-az-pe-kvlt-001" }, - "targetSubnetResourceId": { + "subnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" }, "serviceResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" }, - "groupId": { + "groupIds": { "value": [ "vault" ] diff --git a/arm/Microsoft.Network/privateEndpoints/deploy.bicep b/arm/Microsoft.Network/privateEndpoints/deploy.bicep index 9ef96fdd1c..3bfde4e6db 100644 --- a/arm/Microsoft.Network/privateEndpoints/deploy.bicep +++ b/arm/Microsoft.Network/privateEndpoints/deploy.bicep @@ -2,13 +2,13 @@ param name string @description('Required. Resource ID of the subnet where the endpoint needs to be created.') -param targetSubnetResourceId string +param subnetResourceId string @description('Required. Resource ID of the resource that needs to be connected to the network.') param serviceResourceId string @description('Required. Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to.') -param groupId array +param groupIds array @description('Optional. Array of Private DNS zone groups configuration on the private endpoint.') param privateDnsZoneGroups array = [] @@ -30,6 +30,12 @@ param roleAssignments array = [] @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') param tags object = {} +@description('Optional. Custom DNS configurations.') +param customDnsConfigs array = [] + +@description('Optional. Manual PrivateLink Service Connections.') +param manualPrivateLinkServiceConnections array = [] + @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -57,15 +63,15 @@ resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { name: name properties: { privateLinkServiceId: serviceResourceId - groupIds: groupId + groupIds: groupIds } } ] - manualPrivateLinkServiceConnections: [] + manualPrivateLinkServiceConnections: manualPrivateLinkServiceConnections subnet: { - id: targetSubnetResourceId + id: subnetResourceId } - customDnsConfigs: [] + customDnsConfigs: customDnsConfigs } } diff --git a/arm/Microsoft.Network/privateEndpoints/privateDnsZoneGroups/deploy.bicep b/arm/Microsoft.Network/privateEndpoints/privateDnsZoneGroups/deploy.bicep index db01f717a2..46e9dd21b9 100644 --- a/arm/Microsoft.Network/privateEndpoints/privateDnsZoneGroups/deploy.bicep +++ b/arm/Microsoft.Network/privateEndpoints/privateDnsZoneGroups/deploy.bicep @@ -23,7 +23,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } var privateDnsZoneConfigs = [for privateDNSResourceId in privateDNSResourceIds: { - name: privateEndpointName + name: last(split(privateDNSResourceId, '/')) properties: { privateDnsZoneId: privateDNSResourceId } diff --git a/arm/Microsoft.Network/privateEndpoints/readme.md b/arm/Microsoft.Network/privateEndpoints/readme.md index 143e67d985..b2d77218be 100644 --- a/arm/Microsoft.Network/privateEndpoints/readme.md +++ b/arm/Microsoft.Network/privateEndpoints/readme.md @@ -33,17 +33,19 @@ The following resources are required to be able to deploy this resource: **Required parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `groupId` | array | Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. | +| `groupIds` | array | Subtype(s) of the connection to be created. The allowed values depend on the type serviceResourceId refers to. | | `name` | string | Name of the private endpoint resource to create. | | `serviceResourceId` | string | Resource ID of the resource that needs to be connected to the network. | -| `targetSubnetResourceId` | string | Resource ID of the subnet where the endpoint needs to be created. | +| `subnetResourceId` | string | Resource ID of the subnet where the endpoint needs to be created. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `customDnsConfigs` | array | `[]` | | Custom DNS configurations. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | +| `manualPrivateLinkServiceConnections` | array | `[]` | | Manual PrivateLink Service Connections. | | `privateDnsZoneGroups` | _[privateDnsZoneGroups](privateDnsZoneGroups/readme.md)_ array | `[]` | | Array of Private DNS zone groups configuration on the private endpoint. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags to be applied on all resources/resource groups in this deployment. | @@ -174,13 +176,13 @@ roleAssignments: [ "name": { "value": "<>-az-pe-kvlt-min-001" }, - "targetSubnetResourceId": { + "subnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" }, "serviceResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" }, - "groupId": { + "groupIds": { "value": [ "vault" ] @@ -201,9 +203,9 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { name: '${uniqueString(deployment().name)}-privateEndpoints' params: { name: '<>-az-pe-kvlt-min-001' - targetSubnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' serviceResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe' - groupId: [ + groupIds: [ 'vault' ] } @@ -226,13 +228,13 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { "name": { "value": "<>-az-pe-kvlt-001" }, - "targetSubnetResourceId": { + "subnetResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" }, "serviceResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe" }, - "groupId": { + "groupIds": { "value": [ "vault" ] @@ -272,9 +274,9 @@ module privateEndpoints './Microsoft.Network/privateEndpoints/deploy.bicep' = { name: '${uniqueString(deployment().name)}-privateEndpoints' params: { name: '<>-az-pe-kvlt-001' - targetSubnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' serviceResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-pe' - groupId: [ + groupIds: [ 'vault' ] privateDnsZoneGroups: [ diff --git a/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep b/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep index 3266752d2d..da5b05b4bf 100644 --- a/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep +++ b/arm/Microsoft.Network/trafficmanagerprofiles/deploy.bicep @@ -181,11 +181,11 @@ module trafficManagerProfile_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignm } }] -@description('The resource ID of the traffix manager.') +@description('The resource ID of the traffic manager.') output resourceId string = trafficManagerProfile.id -@description('The resource group the traffix manager was deployed into.') +@description('The resource group the traffic manager was deployed into.') output resourceGroupName string = resourceGroup().name -@description('The name of the traffix manager was deployed into.') +@description('The name of the traffic manager was deployed into.') output name string = trafficManagerProfile.name diff --git a/arm/Microsoft.Network/trafficmanagerprofiles/readme.md b/arm/Microsoft.Network/trafficmanagerprofiles/readme.md index 3fe55b13cf..8d37a61e2f 100644 --- a/arm/Microsoft.Network/trafficmanagerprofiles/readme.md +++ b/arm/Microsoft.Network/trafficmanagerprofiles/readme.md @@ -244,9 +244,9 @@ tags: { | Output Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the traffix manager was deployed into. | -| `resourceGroupName` | string | The resource group the traffix manager was deployed into. | -| `resourceId` | string | The resource ID of the traffix manager. | +| `name` | string | The name of the traffic manager was deployed into. | +| `resourceGroupName` | string | The resource group the traffic manager was deployed into. | +| `resourceId` | string | The resource ID of the traffic manager. | ## Deployment examples diff --git a/arm/Microsoft.RecoveryServices/vaults/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/deploy.bicep index 3234d1f472..d139a63e4d 100644 --- a/arm/Microsoft.RecoveryServices/vaults/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/deploy.bicep @@ -209,6 +209,8 @@ module rsv_protectionContainers 'protectionContainers/deploy.bicep' = [for (prot backupManagementType: protectionContainer.backupManagementType containerType: protectionContainer.containerType enableDefaultTelemetry: enableChildTelemetry + protectedItems: contains(protectionContainer, 'protectedItems') ? protectionContainer.protectedItems : [] + location: location } }] diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/deploy.bicep index 09842fb3d4..21f4a6ab47 100644 --- a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/deploy.bicep +++ b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/deploy.bicep @@ -4,6 +4,9 @@ param recoveryVaultName string @description('Required. Name of the Azure Recovery Service Vault Protection Container.') param name string +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + @description('Optional. Backup management type to execute the current Protection Container job.') @allowed([ 'AzureBackupServer' @@ -25,6 +28,9 @@ param sourceResourceId string = '' @description('Optional. Friendly name of the Protection Container.') param friendlyName string = '' +@description('Optional. Protected items to register in the container') +param protectedItems array = [] + @description('Optional. Type of the container.') @allowed([ 'AzureBackupServerContainer' @@ -65,6 +71,23 @@ resource protectionContainer 'Microsoft.RecoveryServices/vaults/backupFabrics/pr } } +module protectionContainer_protectedItems 'protectedItems/deploy.bicep' = [for (protectedItem, index) in protectedItems: { + name: '${uniqueString(deployment().name, location)}-ProtectedItem-${index}' + params: { + policyId: protectedItem.policyId + name: protectedItem.name + protectedItemType: protectedItem.protectedItemType + protectionContainerName: name + recoveryVaultName: recoveryVaultName + sourceResourceId: protectedItem.sourceResourceId + location: location + enableDefaultTelemetry: enableDefaultTelemetry + } + dependsOn: [ + protectionContainer + ] +}] + @description('The name of the Resource Group the Protection Container was created in.') output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/deploy.bicep b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/deploy.bicep new file mode 100644 index 0000000000..bb0288ee02 --- /dev/null +++ b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/deploy.bicep @@ -0,0 +1,66 @@ +@description('Required. Name of the resource.') +param name string + +@description('Conditional. Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment.') +param protectionContainerName string + +@description('Conditional. The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment.') +param recoveryVaultName string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@allowed([ + 'AzureFileShareProtectedItem' + 'AzureVmWorkloadSAPAseDatabase' + 'AzureVmWorkloadSAPHanaDatabase' + 'AzureVmWorkloadSQLDatabase' + 'DPMProtectedItem' + 'GenericProtectedItem' + 'MabFileFolderProtectedItem' + 'Microsoft.ClassicCompute/virtualMachines' + 'Microsoft.Compute/virtualMachines' + 'Microsoft.Sql/servers/databases' +]) +@description('Required. The backup item type') +param protectedItemType string + +@description('Required. ID of the backup policy with which this item is backed up.') +param policyId string + +@description('Required. Resource ID of the resource to back up') +param sourceResourceId string + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource protectedItem 'Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems@2021-06-01' = { + name: '${recoveryVaultName}/Azure/${protectionContainerName}/${name}' + location: location + properties: { + protectedItemType: any(protectedItemType) + policyId: policyId + sourceResourceId: sourceResourceId + } +} + +@description('The name of the Resource Group the protected item was created in.') +output resourceGroupName string = resourceGroup().name + +@description('The resource ID of the protected item.') +output resourceId string = protectedItem.id + +@description('The Name of the protected item.') +output name string = protectedItem.name diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/readme.md b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/readme.md new file mode 100644 index 0000000000..d3020e1386 --- /dev/null +++ b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/readme.md @@ -0,0 +1,46 @@ +# Recovery Service Vault Protection Container Protected Item `[Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems]` + +This module deploys a Protection Container Protected Item for a Recovery Services Vault + +## Navigation + +- [Resource types](#Resource-types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-06-01/vaults/backupFabrics/protectionContainers/protectedItems) | + +## Parameters + +**Required parameters** +| Parameter Name | Type | Allowed Values | Description | +| :-- | :-- | :-- | :-- | +| `name` | string | | Name of the resource. | +| `policyId` | string | | ID of the backup policy with which this item is backed up. | +| `protectedItemType` | string | `[AzureFileShareProtectedItem, AzureVmWorkloadSAPAseDatabase, AzureVmWorkloadSAPHanaDatabase, AzureVmWorkloadSQLDatabase, DPMProtectedItem, GenericProtectedItem, MabFileFolderProtectedItem, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, Microsoft.Sql/servers/databases]` | The backup item type | +| `sourceResourceId` | string | | Resource ID of the resource to back up | + +**Conditional parameters** +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `protectionContainerName` | string | Name of the Azure Recovery Service Vault Protection Container. Required if the template is used in a standalone deployment. | +| `recoveryVaultName` | string | The name of the parent Azure Recovery Service Vault. Required if the template is used in a standalone deployment. | + +**Optional parameters** +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `location` | string | `[resourceGroup().location]` | Location for all resources. | + + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The Name of the protected item. | +| `resourceGroupName` | string | The name of the Resource Group the protected item was created in. | +| `resourceId` | string | The resource ID of the protected item. | diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/version.json b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/readme.md b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/readme.md index f1184c6f16..f3c520b4b5 100644 --- a/arm/Microsoft.RecoveryServices/vaults/protectionContainers/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/protectionContainers/readme.md @@ -13,6 +13,7 @@ This module deploys a Protection Container for a Recovery Services Vault | Resource Type | API Version | | :-- | :-- | | `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupFabrics/protectionContainers) | +| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-06-01/vaults/backupFabrics/protectionContainers/protectedItems) | ## Parameters @@ -33,6 +34,8 @@ This module deploys a Protection Container for a Recovery Services Vault | `containerType` | string | `''` | `[AzureBackupServerContainer, AzureSqlContainer, GenericContainer, Microsoft.ClassicCompute/virtualMachines, Microsoft.Compute/virtualMachines, SQLAGWorkLoadContainer, StorageContainer, VMAppContainer, Windows, ]` | Type of the container. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `friendlyName` | string | `''` | | Friendly name of the Protection Container. | +| `location` | string | `[resourceGroup().location]` | | Location for all resources. | +| `protectedItems` | _[protectedItems](protectedItems/readme.md)_ array | `[]` | | Protected items to register in the container | | `sourceResourceId` | string | `''` | | Resource ID of the target resource for the Protection Container. | diff --git a/arm/Microsoft.RecoveryServices/vaults/readme.md b/arm/Microsoft.RecoveryServices/vaults/readme.md index a6ae6a7461..854102918c 100644 --- a/arm/Microsoft.RecoveryServices/vaults/readme.md +++ b/arm/Microsoft.RecoveryServices/vaults/readme.md @@ -19,6 +19,7 @@ This module deploys a recovery service vault. | `Microsoft.RecoveryServices/vaults` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults) | | `Microsoft.RecoveryServices/vaults/backupconfig` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-10-01/vaults/backupconfig) | | `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupFabrics/protectionContainers) | +| `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-06-01/vaults/backupFabrics/protectionContainers/protectedItems) | | `Microsoft.RecoveryServices/vaults/backupPolicies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupPolicies) | | `Microsoft.RecoveryServices/vaults/backupstorageconfig` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-08-01/vaults/backupstorageconfig) | | `Microsoft.RecoveryServices/vaults/replicationFabrics` | [2021-12-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2021-12-01/vaults/replicationFabrics) | diff --git a/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep b/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep deleted file mode 100644 index d1381aa576..0000000000 --- a/arm/Microsoft.ServiceBus/namespaces/.bicep/nested_privateEndpoints.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpoint object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: contains(privateEndpoint, 'name') ? (empty(privateEndpoint.name) ? '${privateEndpointResourceName}-${privateEndpoint.service}' : privateEndpoint.name) : '${privateEndpointResourceName}-${privateEndpoint.service}' - subnetResourceId: privateEndpoint.subnetResourceId - service: [ - privateEndpoint.service - ] - privateDnsZoneResourceIds: contains(privateEndpoint, 'privateDnsZoneResourceIds') ? (empty(privateEndpoint.privateDnsZoneResourceIds) ? [] : privateEndpoint.privateDnsZoneResourceIds) : [] - customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? (empty(privateEndpoint.customDnsConfigs) ? null : privateEndpoint.customDnsConfigs) : null -} - -resource privateEndpoint_name 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } - - resource privateEndpoint_name_default 'privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: 'default' - properties: { - privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { - name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) - properties: { - privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] - } - }] - } - } -} diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index 6a1694eee9..99487b976b 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -151,6 +151,14 @@ "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "namespace" + } + ] } } } diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index afb2096942..3ce9d0e7e5 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -309,13 +309,23 @@ resource serviceBusNamespace_diagnosticSettings 'Microsoft.Insights/diagnosticSe scope: serviceBusNamespace } -module serviceBusNamespace_privateEndpoints '.bicep/nested_privateEndpoints.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-${index}' +module serviceBusNamespace_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-Namespace-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: serviceBusNamespace.id - privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - privateEndpoint: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(serviceBusNamespace.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: serviceBusNamespace.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 6e1304f01d..ebdb27c5d3 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -318,7 +318,6 @@ userAssignedIdentities: { module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { - } ``` @@ -485,6 +484,14 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "namespace" + } + ] } } } @@ -615,6 +622,12 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} } + privateEndpoints: [ + { + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + service: 'namespace' + } + ] } ``` diff --git a/arm/Microsoft.Sql/servers/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Sql/servers/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 7af99c7273..0000000000 --- a/arm/Microsoft.Sql/servers/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,58 +0,0 @@ -@description('The resource ID of the service to link to') -param privateEndpointResourceId string - -@description('Required. The location of the proviate endpoint') -param privateEndpointVnetLocation string - -@description('Optional. Tags to add to the private endpoint.') -param tags object = {} - -@description('Optional. The name of the private endpoint') -param name string = '${last(split(privateEndpointResourceId, '/'))}-${service}' - -@description('Required. The service/groupId his private endpoint should connect to') -param service string = 'sqlServer' - -@description('Required. Subnet in a virtual network resource.') -param subnetResourceId string - -@description('Optional. Custom DNS configurations.') -param customDnsConfigs array = [] - -@description('Optional. A collection of private DNS zone configurations of the private dns zone group.') -param privateDnsZoneResourceIds array = [] - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: [ - service - ] - } - } - ] - subnet: { - id: subnetResourceId - } - customDnsConfigs: customDnsConfigs - } - - resource privateDnsZoneGroups 'privateDnsZoneGroups@2021-02-01' = { - name: 'default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } - } -} diff --git a/arm/Microsoft.Sql/servers/.parameters/parameters.json b/arm/Microsoft.Sql/servers/.parameters/parameters.json index 2f3893f12f..dccaeaf027 100644 --- a/arm/Microsoft.Sql/servers/.parameters/parameters.json +++ b/arm/Microsoft.Sql/servers/.parameters/parameters.json @@ -28,7 +28,9 @@ "value": [ { "roleDefinitionIdOrName": "Reader", - "principalIds": ["<>"] + "principalIds": [ + "<>" + ] } ] }, @@ -92,7 +94,8 @@ "privateEndpoints": { "value": [ { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "sqlServer" } ] } diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep index 19c54f905c..a9b2bc7bfc 100644 --- a/arm/Microsoft.Sql/servers/deploy.bicep +++ b/arm/Microsoft.Sql/servers/deploy.bicep @@ -148,17 +148,23 @@ module server_databases 'databases/deploy.bicep' = [for (database, index) in dat } }] -module server_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { - name: '${uniqueString(deployment().name, location)}-Sql-PrivateEndpoints-${index}' +module server_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-SQLServer-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: server.id - privateEndpointVnetLocation: !empty(privateEndpoints) ? reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location : 'dummy' - service: contains(endpoint, 'service') ? endpoint.service : 'sqlServer' - subnetResourceId: endpoint.subnetResourceId - customDnsConfigs: contains(endpoint, 'customDnsConfigs') ? endpoint.customDnsConfigs : [] - name: contains(endpoint, 'name') ? endpoint.name : '${last(split(server.id, '/'))}-sql' - privateDnsZoneResourceIds: contains(endpoint, 'privateDnsZoneResourceIds') ? endpoint.privateDnsZoneResourceIds : [] - tags: contains(endpoint, 'tags') ? endpoint.tags : {} + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(server.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: server.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md index d79f761e9d..cdc5f674f9 100644 --- a/arm/Microsoft.Sql/servers/readme.md +++ b/arm/Microsoft.Sql/servers/readme.md @@ -17,7 +17,7 @@ This module deploys a SQL server. | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Sql/servers` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers) | | `Microsoft.Sql/servers/databases` | [2021-02-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/servers/databases) | | `Microsoft.Sql/servers/firewallRules` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers/firewallRules) | @@ -406,7 +406,9 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { "value": [ { "roleDefinitionIdOrName": "Reader", - "principalIds": ["<>"] + "principalIds": [ + "<>" + ] } ] }, @@ -470,7 +472,8 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { "privateEndpoints": { "value": [ { - "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints" + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "sqlServer" } ] } @@ -554,6 +557,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { privateEndpoints: [ { subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + service: 'sqlServer' } ] } diff --git a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 75fa03bcd3..0000000000 --- a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: (contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}') - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: (contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? ((empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds)) : []) - customDnsConfigs: (contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null) -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } - - resource privateDnsZoneGroups 'privateDnsZoneGroups@2021-02-01' = { - name: 'default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } - } -} diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index e5a7ff6cf5..9f7b348c5b 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -248,13 +248,23 @@ module storageAccount_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, in } }] -module storageAccount_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { - name: '${uniqueString(deployment().name, location)}-Storage-PrivateEndpoints-${index}' +module storageAccount_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-StorageAccount-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: storageAccount.id - privateEndpointVnetLocation: !empty(privateEndpoints) ? reference(split(endpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location : 'dummy' - privateEndpointObj: endpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(storageAccount.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: storageAccount.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md index c7422e2026..91da356496 100644 --- a/arm/Microsoft.Storage/storageAccounts/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -18,7 +18,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `Microsoft.Authorization/roleAssignments` | [2020-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-10-01-preview/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints/privateDnsZoneGroups) | | `Microsoft.Storage/storageAccounts` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-08-01/storageAccounts) | | `Microsoft.Storage/storageAccounts/blobServices` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-06-01/storageAccounts/blobServices) | | `Microsoft.Storage/storageAccounts/blobServices/containers` | [2019-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers) | diff --git a/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index f855b992be..0000000000 --- a/arm/Microsoft.Synapse/privateLinkHubs/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,50 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}' - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : [] - customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: 'default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } - parent: privateEndpoint -} diff --git a/arm/Microsoft.Synapse/privateLinkHubs/.parameters/parameters.json b/arm/Microsoft.Synapse/privateLinkHubs/.parameters/parameters.json index e9bb15fdb8..fd7e2e3eb4 100644 --- a/arm/Microsoft.Synapse/privateLinkHubs/.parameters/parameters.json +++ b/arm/Microsoft.Synapse/privateLinkHubs/.parameters/parameters.json @@ -9,11 +9,23 @@ "value": [ { "roleDefinitionIdOrName": "Reader", - "principalIds": ["<>"] + "principalIds": [ + "<>" + ] }, { "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalIds": ["<>"] + "principalIds": [ + "<>" + ] + } + ] + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "Web" } ] } diff --git a/arm/Microsoft.Synapse/privateLinkHubs/deploy.bicep b/arm/Microsoft.Synapse/privateLinkHubs/deploy.bicep index b76c4b931b..bd284655c7 100644 --- a/arm/Microsoft.Synapse/privateLinkHubs/deploy.bicep +++ b/arm/Microsoft.Synapse/privateLinkHubs/deploy.bicep @@ -65,13 +65,23 @@ module privateLinkHub_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, in }] // Private Endpoints -module privateLinkHub_privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-${index}' +module privateLinkHub_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-PrivateLinkHub-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: privateLinkHub.id - privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - privateEndpointObj: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(privateLinkHub.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: privateLinkHub.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.Synapse/privateLinkHubs/readme.md b/arm/Microsoft.Synapse/privateLinkHubs/readme.md index 43bd6a31d5..54e8ee621a 100644 --- a/arm/Microsoft.Synapse/privateLinkHubs/readme.md +++ b/arm/Microsoft.Synapse/privateLinkHubs/readme.md @@ -279,11 +279,23 @@ module privateLinkHubs './Microsoft.Synapse/privateLinkHubs/deploy.bicep' = { "value": [ { "roleDefinitionIdOrName": "Reader", - "principalIds": ["<>"] + "principalIds": [ + "<>" + ] }, { "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "principalIds": ["<>"] + "principalIds": [ + "<>" + ] + } + ] + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "Web" } ] } @@ -317,6 +329,12 @@ module privateLinkHubs './Microsoft.Synapse/privateLinkHubs/deploy.bicep' = { ] } ] + privateEndpoints: [ + { + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + service: 'Web' + } + ] } ``` diff --git a/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 517bc60383..0000000000 --- a/arm/Microsoft.Web/sites/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: contains(privateEndpointObj, 'name') ? (!empty(privateEndpointObj.name) ? privateEndpointObj.name : '${privateEndpointResourceName}-${privateEndpointObj.service}') : '${privateEndpointResourceName}-${privateEndpointObj.service}' - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (!empty(privateEndpointObj.privateDnsZoneResourceIds) ? privateEndpointObj.privateDnsZoneResourceIds : []) : [] - customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (!empty(privateEndpointObj.customDnsConfigs) ? privateEndpointObj.customDnsConfigs : null) : null -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint.name}/default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } -} diff --git a/arm/Microsoft.Web/sites/.parameters/fa.parameters.json b/arm/Microsoft.Web/sites/.parameters/fa.parameters.json index babf8b85f2..a3f52aa321 100644 --- a/arm/Microsoft.Web/sites/.parameters/fa.parameters.json +++ b/arm/Microsoft.Web/sites/.parameters/fa.parameters.json @@ -130,6 +130,14 @@ }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "sites" + } + ] } } } diff --git a/arm/Microsoft.Web/sites/.parameters/wa.parameters.json b/arm/Microsoft.Web/sites/.parameters/wa.parameters.json index 1816b99cbf..75ea5f8f00 100644 --- a/arm/Microsoft.Web/sites/.parameters/wa.parameters.json +++ b/arm/Microsoft.Web/sites/.parameters/wa.parameters.json @@ -57,6 +57,14 @@ }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "sites" + } + ] } } } diff --git a/arm/Microsoft.Web/sites/deploy.bicep b/arm/Microsoft.Web/sites/deploy.bicep index bcc17125e1..765a0e21ee 100644 --- a/arm/Microsoft.Web/sites/deploy.bicep +++ b/arm/Microsoft.Web/sites/deploy.bicep @@ -255,13 +255,23 @@ module app_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in rol } }] -module app_privateEndpoint '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-Site-PrivateEndpoints-${index}' +module app_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-Site-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: app.id - privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - privateEndpointObj: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(app.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: app.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/arm/Microsoft.Web/sites/readme.md b/arm/Microsoft.Web/sites/readme.md index 82fc3f41aa..c0e9895d5c 100644 --- a/arm/Microsoft.Web/sites/readme.md +++ b/arm/Microsoft.Web/sites/readme.md @@ -583,6 +583,14 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "sites" + } + ] } } } @@ -694,6 +702,12 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' diagnosticEventHubName: 'adp-<>-az-evh-x-001' + privateEndpoints: [ + { + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + service: 'sites' + } + ] } ``` @@ -810,6 +824,14 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { }, "diagnosticEventHubName": { "value": "adp-<>-az-evh-x-001" + }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints", + "service": "sites" + } + ] } } } @@ -856,6 +878,12 @@ module sites './Microsoft.Web/sites/deploy.bicep' = { diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' diagnosticEventHubName: 'adp-<>-az-evh-x-001' + privateEndpoints: [ + { + subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' + service: 'sites' + } + ] } ``` diff --git a/arm/Microsoft.Web/staticSites/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.Web/staticSites/.bicep/nested_privateEndpoint.bicep deleted file mode 100644 index 517bc60383..0000000000 --- a/arm/Microsoft.Web/staticSites/.bicep/nested_privateEndpoint.bicep +++ /dev/null @@ -1,49 +0,0 @@ -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: contains(privateEndpointObj, 'name') ? (!empty(privateEndpointObj.name) ? privateEndpointObj.name : '${privateEndpointResourceName}-${privateEndpointObj.service}') : '${privateEndpointResourceName}-${privateEndpointObj.service}' - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (!empty(privateEndpointObj.privateDnsZoneResourceIds) ? privateEndpointObj.privateDnsZoneResourceIds : []) : [] - customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (!empty(privateEndpointObj.customDnsConfigs) ? privateEndpointObj.customDnsConfigs : null) : null -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } - ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs - } -} - -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: '${privateEndpoint.name}/default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } -} diff --git a/arm/Microsoft.Web/staticSites/deploy.bicep b/arm/Microsoft.Web/staticSites/deploy.bicep index d88a15ca27..2b80083a7c 100644 --- a/arm/Microsoft.Web/staticSites/deploy.bicep +++ b/arm/Microsoft.Web/staticSites/deploy.bicep @@ -136,13 +136,23 @@ module staticSite_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) } }] -module staticSite_privateEndpoint '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-StaticSite-PrivateEndpoints-${index}' +module staticSite_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-StaticSite-PrivateEndpoint-${index}' params: { - privateEndpointResourceId: staticSite.id - privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - privateEndpointObj: privateEndpoint - tags: tags + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(staticSite.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: staticSite.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } }] diff --git a/docs/wiki/Getting started - Get module cross-references.md b/docs/wiki/Getting started - Get module cross-references.md new file mode 100644 index 0000000000..01a521d98b --- /dev/null +++ b/docs/wiki/Getting started - Get module cross-references.md @@ -0,0 +1,102 @@ +The `'Get-LinkedLocalModuleList'` function provides you with the capability to check for any local module references in a given path. This can be useful to determine which modules folder you'd need if you don't want to keep the entire library. + +--- + +### _Navigation_ + +- [Location](#location) +- [How it works](#what-it-does) +- [How to use it](#how-to-use-it) +- [Related function: _Get-LinkedModuleList_](#related-function-get-linkedmodulelist) + +--- +# Location + +You can find the script under `'utilities/tools/Get-LinkedLocalModuleList.ps1'` + +# How it works + +When invoking the script: + +1. The function leverages the utility [Get-LinkedModuleList](#related-function-get-linkedmodulelist) to fetch all references implemented in the modules in a given path +1. The function filters these references down to only local references (i.e. cross-module references) and formats them to show a consistent '\/\' format. +1. Finally, it prints the references to the invoking terminal, group by ResourceType. + +# How to use it + +> **Note:** The script must be loaded before the function can be invoked + +For details on how to use the function please refer to the script's local documentation. + +## Example output + +```PowerShell +VERBOSE: The modules in path [ResourceModules\arm] have the following local folder dependencies: +VERBOSE: +VERBOSE: Resource: Microsoft.ApiManagement/service +VERBOSE: - Microsoft.ApiManagement/authorizationServers +VERBOSE: +VERBOSE: Resource: Microsoft.ContainerRegistry/registries +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.Web/sites +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.EventHub/namespaces +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.MachineLearningServices/workspaces +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.Network/bastionHosts +VERBOSE: - Microsoft.Network/publicIPAddresses +VERBOSE: +VERBOSE: Resource: Microsoft.Sql/servers +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.Insights/privateLinkScopes +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.Web/staticSites +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.Storage/storageAccounts +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.Automation/automationAccounts +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.ServiceBus/namespaces +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.Compute/virtualMachines +VERBOSE: - Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems +VERBOSE: - Microsoft.Network/publicIPAddresses +VERBOSE: - Microsoft.Network/networkInterfaces +VERBOSE: +VERBOSE: Resource: Microsoft.CognitiveServices/accounts +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.Synapse/privateLinkHubs +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.AppConfiguration/configurationStores +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.EventGrid/topics +VERBOSE: - Microsoft.Network/privateEndpoints +VERBOSE: +VERBOSE: Resource: Microsoft.KeyVault/vaults +VERBOSE: - Microsoft.Network/privateEndpoints +``` + +# Related function: _Get-LinkedModuleList_ + +The function `'Get-LinkedModuleList'` (also in path `'utilities/tools'`) is leveraged by the `'Get-LinkedLocalModuleList'` function, but can also be invoked on its own. You can use it to get an overview of all references implemented in any module in a given path. This includes: +- Resource deployments +- Cross-Module references +- Remove-Module references (e.g., Bicep Registry) + +> **Note:** The script must be loaded before the function can be invoked + +For details on how to use the function please refer to the script's local documentation. diff --git a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md index 6238aec25a..ddc0c77038 100644 --- a/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 1 Onboard module library and CI environment.md @@ -31,6 +31,8 @@ Next you'll want to create your own copy of the code. Depending on the repositor > **Note:** Whether you chose GitHub or Azure DevOps as your repository's environment does not affect your options when registering the pipelines. +> **Note:** If you don't want to use all modules, you can remove those that should not be part of your library. However, when doing so, make sure you use the utility [`Get-LinkedLocalModuleList`](./Getting%20started%20-%20Get%20module%20cross-references) to check for any cross-module references. For example, you may find that when you'd remove the 'Microsoft.Network/privateEndpoints', that it is still referenced by some of the modules you may want to use (for example 'Microsoft.KeyVault/vaults'). In those cases, make sure to not accidently delete required references. +

GitHub Repository diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md index 2b3812c428..9c825706db 100644 --- a/docs/wiki/The library - Module design.md +++ b/docs/wiki/The library - Module design.md @@ -12,7 +12,8 @@ This section details the design principles followed by the CARML Bicep modules. - [Bicep template guidelines](#bicep-template-guidelines) - [Parameters](#parameters) - [Variables](#variables) - - [Resource](#resource) + - [Resource](#resources) + - [Modules](#modules) - [Outputs](#outputs) - [ReadMe](#readme) - [Parameter files](#parameter-files) @@ -124,12 +125,8 @@ Use the following naming standard for module files and folders: This section details patterns among extension resources that are usually very similar in their structure among all modules supporting them: -- [Locks](#locks) -- [RBAC](#rbac) -- [Diagnostic Settings](#diagnostic-settings) -- [Private Endpoints](#private-endpoints) - -### Locks +
+Locks The locks extension can be added as a `resource` to the resource template directly. @@ -152,7 +149,10 @@ resource _lock 'Microsoft.Authorization/locks@2017-04-01' = if (lo } ``` -### RBAC +
+ +
+RBAC The RBAC deployment has 2 elements to it. A module that contains the implementation, and a module reference in the parent resource - each with it's own loop to enable you to deploy n-amount of role assignments to n-amount of principals. @@ -214,7 +214,11 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-prev }] ``` -### Diagnostic settings +
+ +
+Diagnostic Settings + The diagnostic settings may differ slightly depending from resource to resource. Most notably, the `` as well as `` may be different and have to be added by you. However, it may just as well be the case they no metrics or no logs are existing. You can then remove the parameter and property from the resource itself. @@ -288,7 +292,11 @@ resource _diagnosticSettings 'Microsoft.Insights/diagnosticsetting } ``` -### Private Endpoints +
+ +
+Private Endpoints + The Private Endpoint deployment has 2 elements to it. A module that contains the implementation, and a module reference in the parent resource. The first loops through the endpoints we want to create, the second processes them. @@ -298,72 +306,30 @@ The Private Endpoint deployment has 2 elements to it. A module that contains the @description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] -module _privateEndpoints '.bicep/nested_privateEndpoint.bicep' = [for (privateEndpoint, index) in privateEndpoints: { - name: '${uniqueString(deployment().name, location)}-PrivateEndpoint-${index}' +module _privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}--PrivateEndpoint-${index}' params: { - privateEndpointResourceId: .id - privateEndpointVnetLocation: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location - privateEndpointObj: privateEndpoint - tags: tags - } -}] -``` - -#### 2nd Element as nested `.bicep/nested_privateEndpoint.bicep` file - -```bicep -param privateEndpointResourceId string -param privateEndpointVnetLocation string -param privateEndpointObj object -param tags object - -var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) -var privateEndpoint_var = { - name: contains(privateEndpointObj, 'name') ? (empty(privateEndpointObj.name) ? '${privateEndpointResourceName}-${privateEndpointObj.service}' : privateEndpointObj.name) : '${privateEndpointResourceName}-${privateEndpointObj.service}' - subnetResourceId: privateEndpointObj.subnetResourceId - service: [ - privateEndpointObj.service - ] - privateDnsZoneResourceIds: contains(privateEndpointObj, 'privateDnsZoneResourceIds') ? (empty(privateEndpointObj.privateDnsZoneResourceIds) ? [] : privateEndpointObj.privateDnsZoneResourceIds) : [] - customDnsConfigs: contains(privateEndpointObj, 'customDnsConfigs') ? (empty(privateEndpointObj.customDnsConfigs) ? null : privateEndpointObj.customDnsConfigs) : null -} - -resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = { - name: privateEndpoint_var.name - location: privateEndpointVnetLocation - tags: tags - properties: { - privateLinkServiceConnections: [ - { - name: privateEndpoint_var.name - properties: { - privateLinkServiceId: privateEndpointResourceId - groupIds: privateEndpoint_var.service - } - } + groupIds: [ + privateEndpoint.service ] - manualPrivateLinkServiceConnections: [] - subnet: { - id: privateEndpoint_var.subnetResourceId - } - customDnsConfigs: privateEndpoint_var.customDnsConfigs + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: .id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableDefaultTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : 'NotSpecified' + privateDnsZoneGroups: contains(privateEndpoint, 'privateDnsZoneGroups') ? privateEndpoint.privateDnsZoneGroups : [] + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] } -} +}] -resource privateDnsZoneGroups 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { - name: 'default' - properties: { - privateDnsZoneConfigs: [for privateDnsZoneResourceId in privateEndpoint_var.privateDnsZoneResourceIds: { - name: last(split(privateDnsZoneResourceId, '/')) - properties: { - privateDnsZoneId: privateDnsZoneResourceId - } - }] - } - parent: privateEndpoint -} ``` +
+ --- # Bicep template guidelines @@ -451,6 +417,9 @@ Within a bicep file, use the following conventions: - Module symbolic names are in camel_Snake_Case, following the schema `_` e.g. `storageAccount_fileServices`, `virtualMachine_nic`, `resourceGroup_rbac`. - Modules enable you to reuse code from a Bicep file in other Bicep files. As such they're normally leveraged for deploying child resources (e.g. file services in a storage account), cross referenced resources (e.g. network interface in a virtual machine) or extension resources (e.g. role assignment in a resource group). + - When a module requires to deploy a resource whose resource type is outside of the main module's provider namespace, the module of this additional resource is referenced locally. For example, when extending the Key Vault module with Private Endpoints, instead of including in the Key Vault module an ad hoc implementation of a Private Endpoint, the Key Vault directly references the Private Endpoint module (i.e., `module privateEndpoint '../../Microsoft.Network/privateEndpoints/deploy.bicep'`). Major benefits of this implementation are less code duplication, more consistency throughout the module library and allowing the consumer to leverage the full interface provided by the referenced module. + > **Note**: Cross-referencing modules from the local repository creates a dependency for the modules applying this technique on the referenced modules being part of the local repository. Reusing the example from above, the Key Vault module has a dependency on the referenced Private Endpoint module, meaning that the repository from which the Key Vault module is deployed also requires the Private Endpoint module to be present. For this reason, we provide a utility to check for any local module references in a given path. This can be useful to determine which module folders you'd need if you don't want to keep the entire library. For further information on how to use the tool, please refer to the tool-specific [documentation](./Getting started%20-%20Get%20module%20cross-references). + ### Deployment names diff --git a/utilities/tools/Get-LinkedLocalModuleList.ps1 b/utilities/tools/Get-LinkedLocalModuleList.ps1 new file mode 100644 index 0000000000..347997b8e9 --- /dev/null +++ b/utilities/tools/Get-LinkedLocalModuleList.ps1 @@ -0,0 +1,80 @@ +<# +.SYNOPSIS +Print a list of all local references for the modules in a given path + +.DESCRIPTION +The result will be a list of all modules in the given path alongside their individual references to other modules in the folder structure + +.PARAMETER path +Optional. The path to search in. Defaults to the 'arm' folder + +.EXAMPLE +Get-LinkedLocalModuleList + +Invoke the function with the default path. Prints a list such as: + +> The modules in path [C:\dev\ip\Azure-ResourceModules\ResourceModules\arm] have the following local folder dependencies: +> +> Resource: Microsoft.EventGrid/topics +> - Microsoft.EventGrid/Microsoft.Network/privateEndpoints +> +> Resource: Microsoft.Synapse/privateLinkHubs +> - Microsoft.Synapse/Microsoft.Network/privateEndpoints + +.EXAMPLE +Get-LinkedLocalModuleList -Path './Microsoft.Sql' + +Get only the references of the modules in folder path './Microsoft.Sql' + +> The modules in path [..\..\arm\Microsoft.Sql\] have the following local folder dependencies: +> +> Resource: Microsoft.Sql/servers +> - Microsoft.Sql/Microsoft.Network/privateEndpoints +#> +function Get-LinkedLocalModuleList { + + [CmdletBinding()] + param ( + [Parameter()] + [string] $path = (Join-Path (Split-Path (Split-Path $PSScriptRoot -Parent) -Parent) 'arm') + ) + + # Load used functions + . (Join-Path $PSScriptRoot 'Get-LinkedModuleList.ps1') + + $allReferences = Get-LinkedModuleList -path $path + + $resultSet = @{} + + foreach ($resourceType in $allReferences.Keys) { + $relevantLocalReferences = $allReferences[$resourceType].localPathReferences | Where-Object { $_ -match '^\.\..*$' } + if ($relevantLocalReferences) { + $relevantLocalReferences = $relevantLocalReferences | ForEach-Object { + # remove deploy.bicep + Split-Path $_ -Parent + } | ForEach-Object { + # remove leading path elements + ($_ -replace '\\', '/') -match '^[\.\/]*(.+)$' + } | ForEach-Object { + # We have to differentate the case that the referenced resources is inside or outside the same provider namespace (e.g. '../publicIPAddresses') + if ($matches[1] -like '*/*') { + # Reference outside of namespace + $matches[1] + } else { + # Reference inside of namespace (-> we rebuild the namespace) + '{0}/{1}' -f (Split-Path $resourceType -Parent), $matches[1] + } + } + $resultSet[$resourceType] = $relevantLocalReferences + } + } + + Write-Verbose "The modules in path [$path] have the following local folder dependencies:" -Verbose + foreach ($resourceType in $resultSet.Keys) { + Write-Verbose '' -Verbose + Write-Verbose "Resource: $resourceType" -Verbose + $resultSet[$resourceType] | ForEach-Object { + Write-Verbose "- $_" -Verbose + } + } +} diff --git a/utilities/tools/Get-LinkedModuleList.ps1 b/utilities/tools/Get-LinkedModuleList.ps1 new file mode 100644 index 0000000000..ebc4ea81f2 --- /dev/null +++ b/utilities/tools/Get-LinkedModuleList.ps1 @@ -0,0 +1,79 @@ +<# +.SYNOPSIS +Get a list of all resource/module references in a given module path + +.DESCRIPTION +As an output you will receive a hashtable that (for each provider namespace) lists the +- Directly deployed resources (e.g. via "resource myDeployment 'Microsoft.(..)/(..)@(..)'") +- Linked local module templates (e.g. via "module myDeployment '../../deploy.bicep'") +- Linked remote module tempaltes (e.g. via "module rg 'br/modules:(..):(..)'") + +.PARAMETER path +Optional. The path to search in. Defaults to the 'arm' folder + +.EXAMPLE +Get-LinkedModuleList + +Invoke the function with the default path. Returns an object such as: +{ + "Microsoft.Compute/availabilitySets": { + "localPathReferences": ".bicep/nested_rbac.bicep", + "remoteReferences": null, + "resourceReferences": [ + "Microsoft.Resources/deployments@2021-04-01", + "Microsoft.Compute/availabilitySets@2021-07-01", + "Microsoft.Authorization/locks@2017-04-01", + "Microsoft.Compute/availabilitySets@2021-04-01", + "Microsoft.Authorization/roleAssignments@2020-10-01-preview" + ] + }, + (...) +} + +.EXAMPLE +Get-LinkedModuleList -path './Microsoft.Sql' + +Get only the references of the modules in folder path './Microsoft.Sql' +#> +function Get-LinkedModuleList { + + [CmdletBinding()] + param ( + [Parameter()] + [string] $path = (Join-Path (Split-Path (Split-Path $PSScriptRoot -Parent) -Parent) 'arm') + ) + + $resultSet = @{} + + # Get all top-level module folders (i.e. one level below 'Microsoft.*') + $topLevelFolderPaths = (Get-ChildItem -Path $path -Recurse -Depth 1 -Directory).FullName + $topLevelFolderPaths = $topLevelFolderPaths | Where-Object { $_ -like '*Microsoft.*' -and (Split-Path $_ -Leaf) -notlike 'Microsoft.*' } + + foreach ($topLevelFolderPath in $topLevelFolderPaths) { + + $moduleTemplatePaths = (Get-ChildItem -Path $topLevelFolderPath -Recurse -Depth 1 -Filter '*.bicep' -File).FullName + + $resourceReferences = [System.Collections.ArrayList]@() + $localPathReferences = [System.Collections.ArrayList]@() + $remoteReferences = [System.Collections.ArrayList]@() + + foreach ($templatePath in $moduleTemplatePaths) { + $content = Get-Content -Path $templatePath + + $resourceReferences += $content | Where-Object { $_ -match "^resource .+ '(.+)' .+$" } | ForEach-Object { $matches[1] } + $localPathReferences += $content | Where-Object { $_ -match "^module .+ '(.+.bicep)' .+$" } | ForEach-Object { $matches[1] } + $remoteReferences += $content | Where-Object { $_ -match "^module .+ '(.+:.+)' .+$" } | ForEach-Object { $matches[1] } + } + + $providerNamespace = Split-Path (Split-Path $topLevelFolderPath -Parent) -Leaf + $resourceType = Split-Path $topLevelFolderPath -Leaf + + $resultSet["$providerNamespace/$resourceType"] = @{ + resourceReferences = $resourceReferences | Select-Object -Unique + localPathReferences = $localPathReferences | Select-Object -Unique + remoteReferences = $remoteReferences | Select-Object -Unique + } + } + + return $resultSet +} diff --git a/utilities/tools/Set-ModuleReadMe.ps1 b/utilities/tools/Set-ModuleReadMe.ps1 index 6a7783b97e..df90c119b0 100644 --- a/utilities/tools/Set-ModuleReadMe.ps1 +++ b/utilities/tools/Set-ModuleReadMe.ps1 @@ -634,6 +634,10 @@ function Set-ModuleReadMe { } } + if (-not $templateFileContent) { + throw "Failed to compile [$TemplateFilePath]" + } + $fullResourcePath = (Split-Path $TemplateFilePath -Parent).Replace('\', '/').split('/arm/')[1] # Check readme