From 4473142346a169b7da54811065617d29db39a810 Mon Sep 17 00:00:00 2001 From: prasanjeets <91326088+prasanjeets@users.noreply.github.com> Date: Thu, 19 May 2022 10:22:02 +0530 Subject: [PATCH 1/5] Fixed Inconsistent naming of NSGs IDs #1323 (#1406) --- arm/Microsoft.Compute/virtualMachines/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Compute/virtualMachines/deploy.bicep b/arm/Microsoft.Compute/virtualMachines/deploy.bicep index 2124046ea1..d2b9d03753 100644 --- a/arm/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachines/deploy.bicep @@ -352,7 +352,7 @@ module virtualMachine_nic '.bicep/nested_networkInterface.bicep' = [for (nicConf enableIPForwarding: contains(nicConfiguration, 'enableIPForwarding') ? (!empty(nicConfiguration.enableIPForwarding) ? nicConfiguration.enableIPForwarding : false) : false enableAcceleratedNetworking: contains(nicConfiguration, 'enableAcceleratedNetworking') ? nicConfiguration.enableAcceleratedNetworking : true dnsServers: contains(nicConfiguration, 'dnsServers') ? (!empty(nicConfiguration.dnsServers) ? nicConfiguration.dnsServers : []) : [] - networkSecurityGroupId: contains(nicConfiguration, 'nsgId') ? (!empty(nicConfiguration.nsgId) ? nicConfiguration.nsgId : '') : '' + networkSecurityGroupId: contains(nicConfiguration, 'networkSecurityGroupId') ? (!empty(nicConfiguration.networkSecurityGroupId) ? nicConfiguration.networkSecurityGroupId : '') : '' ipConfigurationArray: nicConfiguration.ipConfigurations lock: lock diagnosticStorageAccountId: diagnosticStorageAccountId From 2f26892c085b9be8c0417ee534d5f842370adbb4 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Thu, 19 May 2022 10:55:13 +0200 Subject: [PATCH 2/5] Added telemetry to AAD module & description to docs (#1393) * Added telemetry to AAD module & description to docs * Update to latest * Update to latest * Update to latest --- .github/PULL_REQUEST_TEMPLATE.md | 2 +- arm/Microsoft.AAD/DomainServices/deploy.bicep | 15 +++++++++++++++ arm/Microsoft.AAD/DomainServices/readme.md | 1 + docs/wiki/The library - Module design.md | 17 +++++++++++++++++ settings.json | 3 +++ 5 files changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 129120b3a4..a4ca574867 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -20,7 +20,7 @@ Please delete options that are not relevant. - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) -- [ ] This change requires a documentation update (Wiki) +- [ ] Update to documentation # Checklist diff --git a/arm/Microsoft.AAD/DomainServices/deploy.bicep b/arm/Microsoft.AAD/DomainServices/deploy.bicep index d47a8e6fcf..b8b482446d 100644 --- a/arm/Microsoft.AAD/DomainServices/deploy.bicep +++ b/arm/Microsoft.AAD/DomainServices/deploy.bicep @@ -128,6 +128,9 @@ param tags object = {} @maxValue(365) param diagnosticLogsRetentionInDays int = 365 +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + @allowed([ 'CanNotDelete' 'NotSpecified' @@ -172,6 +175,18 @@ var diagnosticsLogs = [for log in logsToEnable: { } }] +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + resource domainService 'Microsoft.AAD/DomainServices@2021-05-01' = { name: name location: location diff --git a/arm/Microsoft.AAD/DomainServices/readme.md b/arm/Microsoft.AAD/DomainServices/readme.md index 0b5b5c892d..052da957d4 100644 --- a/arm/Microsoft.AAD/DomainServices/readme.md +++ b/arm/Microsoft.AAD/DomainServices/readme.md @@ -41,6 +41,7 @@ This template deploys Azure Active Directory Domain Services (AADDS). | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | | `domainConfigurationType` | string | `'FullySynced'` | `[FullySynced, ResourceTrusting]` | The value is to provide domain configuration type. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `externalAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | The value is to enable the Secure LDAP for external services of Azure ADDS Services. | | `filteredSync` | string | `'Enabled'` | | The value is to synchronise scoped users and groups. | | `kerberosArmoring` | string | `'Enabled'` | `[Enabled, Disabled]` | The value is to enable to provide a protected channel between the Kerberos client and the KDC. | diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md index caf9b2a67a..f461480904 100644 --- a/docs/wiki/The library - Module design.md +++ b/docs/wiki/The library - Module design.md @@ -16,6 +16,7 @@ This section details the design principles followed by the CARML Bicep modules. - [Outputs](#outputs) - [ReadMe](#readme) - [Parameter files](#parameter-files) +- [Telemetry](#telemetry) --- @@ -535,3 +536,19 @@ Parameter files in CARML leverage the common `deploymentParameters.json` schema - Likewise, the `name` parameter we have in most modules should give some indication of the file it was deployed with. For example, a `min.parameters.json` parameter file for the virtual network module may have a `name` property with the value `sxx-az-vnet-min-001` where `min` relates to the prefix of the parameter file itself. - A module should have as many parameter files as it needs to evaluate all parts of the module's functionality. - Sensitive data should not be stored inside the parameter file but rather be injected by the use of tokens, as described in the [Token replacement](./The%20CI%20environment%20-%20Token%20replacement) section, or via a [key vault reference](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#reference-secrets-with-static-id). + +# Telemetry + +Each module in CARML contains a `defaultTelemetry` deployment `'pid--${uniqueString(deployment().name)}'`, resulting in deployments such as `'pid--nx2c3rnlt2wru'`. + +This resource enables the team responsible for CARML to query the number of deployments of a given template from Azure - and as such get insights into its adoption. + +When using CARML's CI environment you can enable/disable this deployment by switching the `enableDefaultTelemetry` setting in the `settings.json` file in the repository's root. This value is automatically injected into each individual deployment that is executed as part of the environment's pipeline. + +When consuming the modules outside of CARML's pipelines you can either +- Set the parameter to a default value of `'false'` +- Set the parameter to false when deploying a module + +> **Note:** _The deployment and its GUID can NOT be used to track [Azure Consumed Revenue (ACR)](https://docs.microsoft.com/en-us/azure/marketplace/azure-partner-customer-usage-attribution)._ +> +> _If you want to track it, we recommend to implement it on the consuming template's level (i.e. the workload/solution) and apply the required naming format `'pid-'` (without the suffix)._ diff --git a/settings.json b/settings.json index a25371a5d3..9198a0f7d0 100644 --- a/settings.json +++ b/settings.json @@ -12,5 +12,8 @@ } ] }, + // Enable or disable CARMLs CI telemetry tracking. + // Note: This tracks the number of deployments only + // For more information see: https://github.com/Azure/ResourceModules/wiki/The%20library%20-%20Module%20design#telemetry "enableDefaultTelemetry": true } From 1e44764574f94ebf9a84bf5355f463aec4989f67 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 19 May 2022 14:32:47 +0200 Subject: [PATCH 3/5] Update to latest --- .../azureFirewalls/deploy.bicep | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index f70cff6015..39ffdb69b7 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -147,6 +147,14 @@ var newPip = { } } +var ipConfigurations = concat([ + { + name: 'IpConfAzureFirewallSubnet' + //Use existing public ip, new public ip created in this module, or none if isCreateDefaultPublicIP is false + properties: union(subnet_var, !empty(azureFirewallSubnetPublicIpId) ? existingPip : {}, (isCreateDefaultPublicIP ? newPip : {})) + } +], additionalPublicIpConfigurations_var) + // ---------------------------------------------------------------------------- var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: { @@ -226,14 +234,7 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = { firewallPolicy: empty(firewallPolicyId) ? null : { id: firewallPolicyId } - ipConfigurations: concat([ - { - name: 'IpConfAzureFirewallSubnet' - //Use existing public ip, new public ip created in this module, or none if isCreateDefaultPublicIP is false - properties: !empty(azureFirewallSubnetPublicIpId) ? union(subnet_var, existingPip) : (isCreateDefaultPublicIP ? union(subnet_var, newPip) : subnet_var) - } - ], additionalPublicIpConfigurations_var) - + ipConfigurations: ipConfigurations sku: { name: azureSkuName tier: azureSkuTier From 353418bae6ca31704a19716eb2aa081ccf3a8c80 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 19 May 2022 14:42:07 +0200 Subject: [PATCH 4/5] Fixed several minor complains --- .../azureFirewalls/deploy.bicep | 12 +- .../azureFirewalls/readme.md | 315 +++++++++++++++++- 2 files changed, 315 insertions(+), 12 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 39ffdb69b7..256147f8cd 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -15,16 +15,16 @@ param azureSkuName string = 'AZFW_VNet' ]) param azureSkuTier string = 'Standard' -@description('Required. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable') +@description('Required. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable.') param vNetId string -@description('Optional. The public ip resource ID to associate to the AzureFirewallSubnet. If empty, then the public ip that is created as part of this module will be applied to the AzureFirewallSubnet') +@description('Optional. The public ip resource ID to associate to the AzureFirewallSubnet. If empty, then the public ip that is created as part of this module will be applied to the AzureFirewallSubnet.') param azureFirewallSubnetPublicIpId string = '' -@description('Optional. This is to add any additional public ip configurations on top of the public ip with subnet ip configuration') +@description('Optional. This is to add any additional public ip configurations on top of the public ip with subnet ip configuration.') param additionalPublicIpConfigurations array = [] -@description('Optional. Specifies if a public ip should be created by default if one is not provided') +@description('Optional. Specifies if a public ip should be created by default if one is not provided.') param isCreateDefaultPublicIP bool = true @description('Optional. Specifies the properties of the public IP to create and be used by Azure Firewall. If it\'s not provided and publicIPAddressId is empty, a \'-pip\' suffix will be appended to the Firewall\'s name.') @@ -85,7 +85,7 @@ param location string = resourceGroup().location @description('Optional. Specify the type of lock.') param lock string = 'NotSpecified' -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @description('Optional. Tags of the Azure Firewall resource.') @@ -290,7 +290,7 @@ output resourceGroupName string = resourceGroup().name @description('The private IP of the Azure firewall.') output privateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress -@description('The public ipconfiguration object for the AzureFirewallSubnet') +@description('The public ipconfiguration object for the AzureFirewallSubnet.') output ipConfAzureFirewallSubnet object = azureFirewall.properties.ipConfigurations[0] @description('List of Application Rule Collections.') diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index c661be4c9c..784df6694d 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -8,6 +8,7 @@ This module deploys a firewall. - [Parameters](#Parameters) - [Outputs](#Outputs) - [Considerations](#Considerations) +- [Deployment examples](#Deployment-examples) ## Resource types @@ -26,14 +27,14 @@ This module deploys a firewall. | Parameter Name | Type | Description | | :-- | :-- | :-- | | `name` | string | Name of the Azure Firewall. | -| `vNetId` | string | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable | +| `vNetId` | string | Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `additionalPublicIpConfigurations` | array | `[]` | | This is to add any additional public ip configurations on top of the public ip with subnet ip configuration | +| `additionalPublicIpConfigurations` | array | `[]` | | This is to add any additional public ip configurations on top of the public ip with subnet ip configuration. | | `applicationRuleCollections` | array | `[]` | | Collection of application rule collections used by Azure Firewall. | -| `azureFirewallSubnetPublicIpId` | string | `''` | | The public ip resource ID to associate to the AzureFirewallSubnet. If empty, then the public ip that is created as part of this module will be applied to the AzureFirewallSubnet | +| `azureFirewallSubnetPublicIpId` | string | `''` | | The public ip resource ID to associate to the AzureFirewallSubnet. If empty, then the public ip that is created as part of this module will be applied to the AzureFirewallSubnet. | | `azureSkuName` | string | `'AZFW_VNet'` | `[AZFW_VNet, AZFW_Hub]` | Name of an Azure Firewall SKU. | | `azureSkuTier` | string | `'Standard'` | `[Standard, Premium]` | Tier of an Azure Firewall. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | @@ -46,13 +47,13 @@ This module deploys a firewall. | `diagnosticWorkspaceId` | string | `''` | | Log Analytics workspace resource identifier. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `firewallPolicyId` | string | `''` | | Resource ID of the Firewall Policy that should be attached. | -| `isCreateDefaultPublicIP` | bool | `True` | | Specifies if a public ip should be created by default if one is not provided | +| `isCreateDefaultPublicIP` | bool | `True` | | Specifies if a public ip should be created by default if one is not provided. | | `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `natRuleCollections` | array | `[]` | | Collection of NAT rule collections used by Azure Firewall. | | `networkRuleCollections` | array | `[]` | | Collection of network rule collections used by Azure Firewall. | | `publicIPAddressObject` | object | `{object}` | | Specifies the properties of the public IP to create and be used by Azure Firewall. If it's not provided and publicIPAddressId is empty, a '-pip' suffix will be appended to the Firewall's name. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `tags` | object | `{object}` | | Tags of the Azure Firewall resource. | | `threatIntelMode` | string | `'Deny'` | `[Alert, Deny, Off]` | The operation mode for Threat Intel. | | `zones` | array | `[1, 2, 3]` | | Zone numbers e.g. 1,2,3. | @@ -164,7 +165,7 @@ Tag names and tag values can be provided as needed. A tag can be left without a | Output Name | Type | Description | | :-- | :-- | :-- | | `applicationRuleCollections` | array | List of Application Rule Collections. | -| `ipConfAzureFirewallSubnet` | object | The public ipconfiguration object for the AzureFirewallSubnet | +| `ipConfAzureFirewallSubnet` | object | The public ipconfiguration object for the AzureFirewallSubnet. | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the Azure firewall. | | `natRuleCollections` | array | Collection of NAT rule collections used by Azure Firewall. | @@ -177,3 +178,305 @@ Tag names and tag values can be provided as needed. A tag can be left without a The `applicationRuleCollections` parameter accepts a JSON Array of AzureFirewallApplicationRule objects. The `networkRuleCollections` parameter accepts a JSON Array of AzureFirewallNetworkRuleCollection objects. + +## Deployment examples + +

Example 1

+ +
+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-fw-min-001" + }, + "vNetId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-azfw" + } + } +} + +``` + +
+ +
+ +via Bicep module + +```bicep +module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-azureFirewalls' + params: { + name: '<>-az-fw-min-001' + vNetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-azfw' + } +``` + +
+

+ +

Example 2

+ +
+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-fw-x-001" + }, + "zones": { + "value": [ + "1", + "2", + "3" + ] + }, + "vNetId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-azfw" + }, + "azureFirewallSubnetPublicIpId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-fw" + }, + "applicationRuleCollections": { + "value": [ + { + "name": "allow-app-rules", + "properties": { + "priority": 100, + "action": { + "type": "allow" + }, + "rules": [ + { + "name": "allow-ase-tags", + "sourceAddresses": [ + "*" + ], + "protocols": [ + { + "protocolType": "HTTP", + "port": "80" + }, + { + "protocolType": "HTTPS", + "port": "443" + } + ], + "fqdnTags": [ + "AppServiceEnvironment", + "WindowsUpdate" + ] + }, + { + "name": "allow-ase-management", + "sourceAddresses": [ + "*" + ], + "protocols": [ + { + "protocolType": "HTTP", + "port": "80" + }, + { + "protocolType": "HTTPS", + "port": "443" + } + ], + "targetFqdns": [ + "management.azure.com" + ] + } + ] + } + } + ] + }, + "networkRuleCollections": { + "value": [ + { + "name": "allow-network-rules", + "properties": { + "priority": 100, + "action": { + "type": "allow" + }, + "rules": [ + { + "name": "allow-ntp", + "sourceAddresses": [ + "*" + ], + "destinationAddresses": [ + "*" + ], + "destinationPorts": [ + "123", + "12000" + ], + "protocols": [ + "Any" + ] + } + ] + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + }, + "diagnosticWorkspaceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + }, + "diagnosticEventHubName": { + "value": "adp-<>-az-evh-x-001" + } + } +} + +``` + +
+ +
+ +via Bicep module + +```bicep +module azureFirewalls './Microsoft.Network/azureFirewalls/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-azureFirewalls' + params: { + name: '<>-az-fw-x-001' + zones: [ + '1' + '2' + '3' + ] + vNetId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-azfw' + azureFirewallSubnetPublicIpId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-fw' + applicationRuleCollections: [ + { + name: 'allow-app-rules' + properties: { + priority: 100 + action: { + type: 'allow' + } + rules: [ + { + name: 'allow-ase-tags' + sourceAddresses: [ + '*' + ] + protocols: [ + { + protocolType: 'HTTP' + port: '80' + } + { + protocolType: 'HTTPS' + port: '443' + } + ] + fqdnTags: [ + 'AppServiceEnvironment' + 'WindowsUpdate' + ] + } + { + name: 'allow-ase-management' + sourceAddresses: [ + '*' + ] + protocols: [ + { + protocolType: 'HTTP' + port: '80' + } + { + protocolType: 'HTTPS' + port: '443' + } + ] + targetFqdns: [ + 'management.azure.com' + ] + } + ] + } + } + ] + networkRuleCollections: [ + { + name: 'allow-network-rules' + properties: { + priority: 100 + action: { + type: 'allow' + } + rules: [ + { + name: 'allow-ntp' + sourceAddresses: [ + '*' + ] + destinationAddresses: [ + '*' + ] + destinationPorts: [ + '123' + '12000' + ] + protocols: [ + 'Any' + ] + } + ] + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + '<>' + ] + } + ] + diagnosticLogsRetentionInDays: 7 + diagnosticStorageAccountId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001' + diagnosticWorkspaceId: '/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001' + diagnosticEventHubAuthorizationRuleId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey' + diagnosticEventHubName: 'adp-<>-az-evh-x-001' + } +``` + +
+

From 8509ddf16054d7b394bde740221ec7592116bbfc Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 19 May 2022 16:17:56 +0200 Subject: [PATCH 5/5] Added condition --- arm/Microsoft.Network/azureFirewalls/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep index 256147f8cd..def11ea777 100644 --- a/arm/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -142,9 +142,9 @@ var existingPip = { } } var newPip = { - publicIPAddress: { + publicIPAddress: (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP) ? { id: publicIPAddress.outputs.resourceId - } + } : null } var ipConfigurations = concat([