[Modules] Firewall Proposal PR (not main)

.github/PULL_REQUEST_TEMPLATE.md

@@ -20,7 +20,7 @@ Please delete options that are not relevant.
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
 - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
-- [ ] This change requires a documentation update (Wiki)
+- [ ] Update to documentation
 
 # Checklist
 

arm/Microsoft.AAD/DomainServices/deploy.bicep

@@ -128,6 +128,9 @@ param tags object = {}
 @maxValue(365)
 param diagnosticLogsRetentionInDays int = 365
 
+@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
+param enableDefaultTelemetry bool = true
+
 @allowed([
   'CanNotDelete'
   'NotSpecified'
@@ -172,6 +175,18 @@ var diagnosticsLogs = [for log in logsToEnable: {
   }
 }]
 
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
 resource domainService 'Microsoft.AAD/DomainServices@2021-05-01' = {
   name: name
   location: location

arm/Microsoft.AAD/DomainServices/readme.md

@@ -41,6 +41,7 @@ This template deploys Azure Active Directory Domain Services (AADDS).
 | `diagnosticStorageAccountId` | string | `''` |  | Resource ID of the diagnostic storage account. |
 | `diagnosticWorkspaceId` | string | `''` |  | Resource ID of the diagnostic log analytics workspace. |
 | `domainConfigurationType` | string | `'FullySynced'` | `[FullySynced, ResourceTrusting]` | The value is to provide domain configuration type. |
+| `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via the Customer Usage Attribution ID (GUID). |
 | `externalAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | The value is to enable the Secure LDAP for external services of Azure ADDS Services. |
 | `filteredSync` | string | `'Enabled'` |  | The value is to synchronise scoped users and groups. |
 | `kerberosArmoring` | string | `'Enabled'` | `[Enabled, Disabled]` | The value is to enable to provide a protected channel between the Kerberos client and the KDC. |

arm/Microsoft.Compute/virtualMachines/deploy.bicep

@@ -352,7 +352,7 @@ module virtualMachine_nic '.bicep/nested_networkInterface.bicep' = [for (nicConf
     enableIPForwarding: contains(nicConfiguration, 'enableIPForwarding') ? (!empty(nicConfiguration.enableIPForwarding) ? nicConfiguration.enableIPForwarding : false) : false
     enableAcceleratedNetworking: contains(nicConfiguration, 'enableAcceleratedNetworking') ? nicConfiguration.enableAcceleratedNetworking : true
     dnsServers: contains(nicConfiguration, 'dnsServers') ? (!empty(nicConfiguration.dnsServers) ? nicConfiguration.dnsServers : []) : []
-    networkSecurityGroupId: contains(nicConfiguration, 'nsgId') ? (!empty(nicConfiguration.nsgId) ? nicConfiguration.nsgId : '') : ''
+    networkSecurityGroupId: contains(nicConfiguration, 'networkSecurityGroupId') ? (!empty(nicConfiguration.networkSecurityGroupId) ? nicConfiguration.networkSecurityGroupId : '') : ''
     ipConfigurationArray: nicConfiguration.ipConfigurations
     lock: lock
     diagnosticStorageAccountId: diagnosticStorageAccountId

arm/Microsoft.Network/azureFirewalls/deploy.bicep

@@ -15,16 +15,16 @@ param azureSkuName string = 'AZFW_VNet'
 ])
 param azureSkuTier string = 'Standard'
 
-@description('Required. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable')
+@description('Required. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a public ip is not provided, then the public ip that is created as part of this module will be applied with the subnet provided in this variable.')
 param vNetId string
 
-@description('Optional. The public ip resource ID to associate to the AzureFirewallSubnet. If empty, then the public ip that is created as part of this module will be applied to the AzureFirewallSubnet')
+@description('Optional. The public ip resource ID to associate to the AzureFirewallSubnet. If empty, then the public ip that is created as part of this module will be applied to the AzureFirewallSubnet.')
 param azureFirewallSubnetPublicIpId string = ''
 
-@description('Optional. This is to add any additional public ip configurations on top of the public ip with subnet ip configuration')
+@description('Optional. This is to add any additional public ip configurations on top of the public ip with subnet ip configuration.')
 param additionalPublicIpConfigurations array = []
 
-@description('Optional. Specifies if a public ip should be created by default if one is not provided')
+@description('Optional. Specifies if a public ip should be created by default if one is not provided.')
 param isCreateDefaultPublicIP bool = true
 
 @description('Optional. Specifies the properties of the public IP to create and be used by Azure Firewall. If it\'s not provided and publicIPAddressId is empty, a \'-pip\' suffix will be appended to the Firewall\'s name.')
@@ -85,7 +85,7 @@ param location string = resourceGroup().location
 @description('Optional. Specify the type of lock.')
 param lock string = 'NotSpecified'
 
-@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
 param roleAssignments array = []
 
 @description('Optional. Tags of the Azure Firewall resource.')
@@ -142,11 +142,19 @@ var existingPip = {
   }
 }
 var newPip = {
-  publicIPAddress: {
+  publicIPAddress: (empty(azureFirewallSubnetPublicIpId) && isCreateDefaultPublicIP) ? {
     id: publicIPAddress.outputs.resourceId
-  }
+  } : null
 }
 
+var ipConfigurations = concat([
+  {
+    name: 'IpConfAzureFirewallSubnet'
+    //Use existing public ip, new public ip created in this module, or none if isCreateDefaultPublicIP is false
+    properties: union(subnet_var, !empty(azureFirewallSubnetPublicIpId) ? existingPip : {}, (isCreateDefaultPublicIP ? newPip : {}))
+  }
+], additionalPublicIpConfigurations_var)
+
 // ----------------------------------------------------------------------------
 
 var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: {
@@ -226,14 +234,7 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-05-01' = {
     firewallPolicy: empty(firewallPolicyId) ? null : {
       id: firewallPolicyId
     }
-    ipConfigurations: concat([
-      {
-        name: 'IpConfAzureFirewallSubnet'
-        //Use existing public ip, new public ip created in this module, or none if isCreateDefaultPublicIP is false
-        properties: !empty(azureFirewallSubnetPublicIpId) ? union(subnet_var, existingPip) : (isCreateDefaultPublicIP ? union(subnet_var, newPip) : subnet_var)
-      }
-    ], additionalPublicIpConfigurations_var)
-
+    ipConfigurations: ipConfigurations
     sku: {
       name: azureSkuName
       tier: azureSkuTier
@@ -289,7 +290,7 @@ output resourceGroupName string = resourceGroup().name
 @description('The private IP of the Azure firewall.')
 output privateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress
 
-@description('The public ipconfiguration object for the AzureFirewallSubnet')
+@description('The public ipconfiguration object for the AzureFirewallSubnet.')
 output ipConfAzureFirewallSubnet object = azureFirewall.properties.ipConfigurations[0]
 
 @description('List of Application Rule Collections.')