From 440e6c000537a528eae22885f2354efac7f69d6f Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 30 May 2022 16:12:23 +0100 Subject: [PATCH 01/36] Added ACL Config based on private endpoint config --- .../namespaces/deploy.bicep | 19 +++++++ .../namespaces/networkRuleSets/deploy.bicep | 54 +++++++++++++++++++ .../namespaces/networkRuleSets/readme.md | 48 +++++++++++++++++ .../namespaces/networkRuleSets/version.json | 4 ++ arm/Microsoft.ServiceBus/namespaces/readme.md | 1 + .../namespaces/version.json | 2 +- 6 files changed, 127 insertions(+), 1 deletion(-) create mode 100644 arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep create mode 100644 arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md create mode 100644 arm/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 3a5627fbb7..2bda236166 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -141,6 +141,14 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +var networkAcl = !empty(privateEndpoints) ? { + publicNetworkAccess: 'Enabled' + allowTrustedServices: true +} : { + publicNetworkAccess: 'Disabled' + allowTrustedServices: false +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -198,6 +206,17 @@ module serviceBusNamespace_virtualNetworkRules 'virtualNetworkRules/deploy.bicep } }] +module serviceBusNamespace_NetworkAcls 'networkRuleSets/deploy.bicep' = if (skuName == 'Premium') { + name: '${uniqueString(deployment().name, location)}-NetworkAcl' + params: { + namespaceName: serviceBusNamespace.name + name: '${serviceBusNamespace.name}-${skuName}-ACL' + allowTrustedServices: networkAcl.allowTrustedServices + publicNetworkAccess: networkAcl.publicNetworkAccess + enableDefaultTelemetry: enableDefaultTelemetry + } +} + module serviceBusNamespace_authorizationRules 'authorizationRules/deploy.bicep' = [for (authorizationRule, index) in authorizationRules: { name: '${uniqueString(deployment().name, location)}-AuthorizationRules-${index}' params: { diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep new file mode 100644 index 0000000000..fc547b2ddc --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -0,0 +1,54 @@ +@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment.') +@minLength(6) +@maxLength(50) +param namespaceName string + +@description('Required. The name of the virtual network rule.') +param name string + +@description('Optional. Public Network Access for Premium Sku') +@allowed([ + 'Enabled' + 'Disabled' +]) +param publicNetworkAccess string = 'Disabled' + +@description('Optional. Trusted Services Bypass for Premium Sku') +param allowTrustedServices bool = true + +@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') +param enableDefaultTelemetry bool = true + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource namespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' existing = { + name: namespaceName +} + +resource networkACL 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' = { + name: name + parent: namespace + properties: { + publicNetworkAccess: publicNetworkAccess + trustedServiceAccessEnabled: allowTrustedServices + } +} + +@description('The name of the Network ACL Deployment.') +output name string = networkACL.name + +@description('The Resource ID of the virtual network rule.') +output resourceId string = networkACL.id + +@description('The name of the Resource Group the virtual network rule was created in.') +output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md new file mode 100644 index 0000000000..2b65254cf4 --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -0,0 +1,48 @@ +# ServiceBus Namespaces NetworkRuleSets `[Microsoft.ServiceBus/namespaces/networkRuleSets]` + +This module deploys ServiceBus Namespaces NetworkRuleSets. +// TODO: Replace Resource and fill in description + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-11-01/namespaces/networkRuleSets) | + +## Parameters + +**Required parameters** +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the virtual network rule. | + +**Conditional parameters** +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | + +**Optional parameters** +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `allowTrustedServices` | bool | `True` | | Trusted Services Bypass for Premium Sku | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Public Network Access for Premium Sku | + + +### Parameter Usage: `` + +// TODO: Fill in Parameter usage + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the Network ACL Deployment. | +| `resourceGroupName` | string | The name of the Resource Group the virtual network rule was created in. | +| `resourceId` | string | The Resource ID of the virtual network rule. | diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json new file mode 100644 index 0000000000..41f66cc990 --- /dev/null +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.1" +} diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 6e1304f01d..ccfd712fb2 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -23,6 +23,7 @@ This module deploys a service bus namespace resource. | `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/disasterRecoveryConfigs) | | `Microsoft.ServiceBus/namespaces/ipfilterrules` | [2018-01-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2018-01-01-preview/namespaces/ipfilterrules) | | `Microsoft.ServiceBus/namespaces/migrationConfigurations` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/migrationConfigurations) | +| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-11-01/namespaces/networkRuleSets) | | `Microsoft.ServiceBus/namespaces/queues` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/queues) | | `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/queues/authorizationRules) | | `Microsoft.ServiceBus/namespaces/topics` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/topics) | diff --git a/arm/Microsoft.ServiceBus/namespaces/version.json b/arm/Microsoft.ServiceBus/namespaces/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.ServiceBus/namespaces/version.json +++ b/arm/Microsoft.ServiceBus/namespaces/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } From 2876da4e81028673bdb2b578bd9fcedf1fdc6319 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 30 May 2022 16:13:55 +0100 Subject: [PATCH 02/36] Static Validation Config --- global.variables.yml | 4 ++-- settings.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/global.variables.yml b/global.variables.yml index 7fed8d13f9..e75632c0ca 100644 --- a/global.variables.yml +++ b/global.variables.yml @@ -14,7 +14,7 @@ variables: # Publish: Template-Spec settings ###################################### - templateSpecsDoPublish: true # Set to true, if you would like to publish module templates as template specs + templateSpecsDoPublish: false # Set to true, if you would like to publish module templates as template specs templateSpecsRGName: 'artifacts-rg' # The name of the resource group to publish to. If the resource group does not exist, it will be created. templateSpecsRGLocation: 'West Europe' # The location of the resource group to publish to templateSpecsDescription: components # The description to add to template specs published by this platform @@ -23,7 +23,7 @@ variables: # Publish: Private Bicep Registry settings ###################################### - bicepRegistryDoPublish: true # Set to true, if you would like to publish module templates to a bicep registry + bicepRegistryDoPublish: false # Set to true, if you would like to publish module templates to a bicep registry bicepRegistryName: adpsxxazacrx001 # The name of the bicep registry (ACR) to publish to. If it does not exist, it will be created. bicepRegistryRGName: 'artifacts-rg' # The resource group that hosts the private bicep registry (ACR) bicepRegistryRgLocation: 'West Europe' # The location of the resource group to publish to diff --git a/settings.json b/settings.json index 9198a0f7d0..2e91ecb1d0 100644 --- a/settings.json +++ b/settings.json @@ -5,7 +5,7 @@ "localTokens": [ { "name": "namePrefix", - "value": "carml", + "value": "csrml", "metadata": { "description": "A 3-5 character length string, included in the resources names" } From fd641ab29a0fa5eae3c8613d721b3b674187c99f Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 30 May 2022 16:21:18 +0100 Subject: [PATCH 03/36] Added trailing '.' --- .../namespaces/networkRuleSets/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index fc547b2ddc..f1cb1cbefc 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -6,14 +6,14 @@ param namespaceName string @description('Required. The name of the virtual network rule.') param name string -@description('Optional. Public Network Access for Premium Sku') +@description('Optional. Public Network Access for Premium Sku.') @allowed([ 'Enabled' 'Disabled' ]) param publicNetworkAccess string = 'Disabled' -@description('Optional. Trusted Services Bypass for Premium Sku') +@description('Optional. Trusted Services Bypass for Premium Sku.') param allowTrustedServices bool = true @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') From 94469efdd9f33ed9cbddb14e5780684e4a1b5ac5 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 30 May 2022 16:28:42 +0100 Subject: [PATCH 04/36] updated metadata descriptions --- arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 2b65254cf4..f0d8c18996 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -30,9 +30,9 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `allowTrustedServices` | bool | `True` | | Trusted Services Bypass for Premium Sku | +| `allowTrustedServices` | bool | `True` | | Trusted Services Bypass for Premium Sku. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Public Network Access for Premium Sku | +| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Public Network Access for Premium Sku. | ### Parameter Usage: `` From c1a2fc01b8f6ecb6bc062bf4f75b86923fa7e4a4 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 30 May 2022 17:09:11 +0100 Subject: [PATCH 05/36] updated default ruleset param --- arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 1 - .../namespaces/networkRuleSets/deploy.bicep | 4 ++-- .../namespaces/networkRuleSets/readme.md | 6 +++--- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 2bda236166..59e9089c0e 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -210,7 +210,6 @@ module serviceBusNamespace_NetworkAcls 'networkRuleSets/deploy.bicep' = if (skuN name: '${uniqueString(deployment().name, location)}-NetworkAcl' params: { namespaceName: serviceBusNamespace.name - name: '${serviceBusNamespace.name}-${skuName}-ACL' allowTrustedServices: networkAcl.allowTrustedServices publicNetworkAccess: networkAcl.publicNetworkAccess enableDefaultTelemetry: enableDefaultTelemetry diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index f1cb1cbefc..1ae81c330f 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -3,8 +3,8 @@ @maxLength(50) param namespaceName string -@description('Required. The name of the virtual network rule.') -param name string +@description('Required. The default is the only valid ruleset.') +param name string = 'default' @description('Optional. Public Network Access for Premium Sku.') @allowed([ diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index f0d8c18996..69623822be 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -18,9 +18,9 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. ## Parameters **Required parameters** -| Parameter Name | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the virtual network rule. | +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `name` | string | `'default'` | The default is the only valid ruleset. | **Conditional parameters** | Parameter Name | Type | Description | From f9e4610994edcbf61ea58bf4f8e93fa515014383 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Tue, 31 May 2022 08:13:37 +0100 Subject: [PATCH 06/36] Replaced Globals for PR --- global.variables.yml | 4 ++-- settings.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/global.variables.yml b/global.variables.yml index e75632c0ca..7fed8d13f9 100644 --- a/global.variables.yml +++ b/global.variables.yml @@ -14,7 +14,7 @@ variables: # Publish: Template-Spec settings ###################################### - templateSpecsDoPublish: false # Set to true, if you would like to publish module templates as template specs + templateSpecsDoPublish: true # Set to true, if you would like to publish module templates as template specs templateSpecsRGName: 'artifacts-rg' # The name of the resource group to publish to. If the resource group does not exist, it will be created. templateSpecsRGLocation: 'West Europe' # The location of the resource group to publish to templateSpecsDescription: components # The description to add to template specs published by this platform @@ -23,7 +23,7 @@ variables: # Publish: Private Bicep Registry settings ###################################### - bicepRegistryDoPublish: false # Set to true, if you would like to publish module templates to a bicep registry + bicepRegistryDoPublish: true # Set to true, if you would like to publish module templates to a bicep registry bicepRegistryName: adpsxxazacrx001 # The name of the bicep registry (ACR) to publish to. If it does not exist, it will be created. bicepRegistryRGName: 'artifacts-rg' # The resource group that hosts the private bicep registry (ACR) bicepRegistryRgLocation: 'West Europe' # The location of the resource group to publish to diff --git a/settings.json b/settings.json index 2e91ecb1d0..9198a0f7d0 100644 --- a/settings.json +++ b/settings.json @@ -5,7 +5,7 @@ "localTokens": [ { "name": "namePrefix", - "value": "csrml", + "value": "carml", "metadata": { "description": "A 3-5 character length string, included in the resources names" } From 46ebf09a9be7daa5783131e4051ed64e7c6747dc Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Wed, 1 Jun 2022 14:29:41 +0100 Subject: [PATCH 07/36] removed whitespace Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 1 - 1 file changed, 1 deletion(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 83adebb4ff..9d63f627c2 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -152,7 +152,6 @@ var networkAcl = !empty(privateEndpoints) ? { var enableChildTelemetry = false - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { From 6d4a44604b693fa5e246c9aac38969088f6532ab Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Wed, 1 Jun 2022 14:58:18 +0100 Subject: [PATCH 08/36] Applied suggestions from @eriqua Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 1 - .../namespaces/networkRuleSets/deploy.bicep | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 9d63f627c2..3d115d4a26 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -141,7 +141,6 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null - var networkAcl = !empty(privateEndpoints) ? { publicNetworkAccess: 'Enabled' allowTrustedServices: true diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index 1ae81c330f..6d8ddbfb14 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -1,4 +1,4 @@ -@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment.') +@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment.') @minLength(6) @maxLength(50) param namespaceName string From 6ca5b3e43a591c54e03c38a81d2d1a333605ac8f Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Wed, 1 Jun 2022 15:22:26 +0100 Subject: [PATCH 09/36] Added param for Azure Trusted Services Trusted Services set default is true --- .../namespaces/.parameters/parameters.json | 3 +++ arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 7 +++++-- arm/Microsoft.ServiceBus/namespaces/readme.md | 2 ++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index 99487b976b..c0b4b8dcd1 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -159,6 +159,9 @@ "service": "namespace" } ] + }, + "allowTrustedServices": { + "value": false } } } diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 3d115d4a26..23a6768dbe 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -77,6 +77,9 @@ param roleAssignments array = [] @description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] +@description('Optional. Allow trusted Azure services to access a network restricted Service Bus.') +param allowTrustedServices bool = true + @description('Optional. Tags of the resource.') param tags object = {} @@ -143,10 +146,10 @@ var identity = identityType != 'None' ? { var networkAcl = !empty(privateEndpoints) ? { publicNetworkAccess: 'Enabled' - allowTrustedServices: true + allowTrustedServices: allowTrustedServices } : { publicNetworkAccess: 'Disabled' - allowTrustedServices: false + allowTrustedServices: allowTrustedServices } var enableChildTelemetry = false diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 064fdb435e..261df95e6e 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -40,6 +40,7 @@ This module deploys a service bus namespace resource. **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `allowTrustedServices` | bool | `True` | | Allow trusted Azure services to access a network restricted Service Bus. | | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Service Bus namespace. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | @@ -319,6 +320,7 @@ userAssignedIdentities: { module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { + } ``` From ae572b74a7791b5e6cf496e2be7c46e05e7fb76a Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Wed, 1 Jun 2022 15:29:29 +0100 Subject: [PATCH 10/36] updated readme to matech changes in #6d4a446 --- arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 69623822be..5ece8fc644 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -1,7 +1,6 @@ # ServiceBus Namespaces NetworkRuleSets `[Microsoft.ServiceBus/namespaces/networkRuleSets]` This module deploys ServiceBus Namespaces NetworkRuleSets. -// TODO: Replace Resource and fill in description ## Navigation @@ -25,7 +24,7 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. **Conditional parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Queue. Required if the template is used in a standalone deployment. | +| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | @@ -34,7 +33,6 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Public Network Access for Premium Sku. | - ### Parameter Usage: `` // TODO: Fill in Parameter usage From cea8697415e9707fccab2503dcd2502b1b90e93e Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Wed, 1 Jun 2022 15:34:14 +0100 Subject: [PATCH 11/36] Updated version following new param addition --- arm/Microsoft.ServiceBus/namespaces/version.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/version.json b/arm/Microsoft.ServiceBus/namespaces/version.json index badc0a2285..d52c7d0010 100644 --- a/arm/Microsoft.ServiceBus/namespaces/version.json +++ b/arm/Microsoft.ServiceBus/namespaces/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.5" + "version": "0.6" } From 3c69a58bcfa3bea417237af1e70d340988de7177 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 6 Jun 2022 09:37:28 +0100 Subject: [PATCH 12/36] Apply suggestions from Marius code review NetworkACL => NetworkRuleSet Version Change Co-authored-by: Marius Storhaug --- arm/Microsoft.ServiceBus/namespaces/deploy.bicep | 4 ++-- arm/Microsoft.ServiceBus/namespaces/version.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 23a6768dbe..bddb30a506 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -211,8 +211,8 @@ module serviceBusNamespace_virtualNetworkRules 'virtualNetworkRules/deploy.bicep } }] -module serviceBusNamespace_NetworkAcls 'networkRuleSets/deploy.bicep' = if (skuName == 'Premium') { - name: '${uniqueString(deployment().name, location)}-NetworkAcl' +module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (skuName == 'Premium') { + name: '${uniqueString(deployment().name, location)}-networkRuleSet' params: { namespaceName: serviceBusNamespace.name allowTrustedServices: networkAcl.allowTrustedServices diff --git a/arm/Microsoft.ServiceBus/namespaces/version.json b/arm/Microsoft.ServiceBus/namespaces/version.json index d52c7d0010..badc0a2285 100644 --- a/arm/Microsoft.ServiceBus/namespaces/version.json +++ b/arm/Microsoft.ServiceBus/namespaces/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.6" + "version": "0.5" } From 4ec874e336c3c11da1b77654370089648e0a8f32 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 6 Jun 2022 12:29:47 +0100 Subject: [PATCH 13/36] Apply suggestions from Marius code review Friendly name of resource change to match resource type Co-authored-by: Marius Storhaug --- .../namespaces/networkRuleSets/deploy.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index 6d8ddbfb14..4299349c13 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -35,7 +35,7 @@ resource namespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' existing name: namespaceName } -resource networkACL 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' = { +resource networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' = { name: name parent: namespace properties: { @@ -45,10 +45,10 @@ resource networkACL 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' } @description('The name of the Network ACL Deployment.') -output name string = networkACL.name +output name string = networkRuleSet.name @description('The Resource ID of the virtual network rule.') -output resourceId string = networkACL.id +output resourceId string = networkRuleSet.id @description('The name of the Resource Group the virtual network rule was created in.') output resourceGroupName string = resourceGroup().name From 134230a6cfbf5b34b3d45c17ae84a2e8e9d6fd05 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 6 Jun 2022 12:31:16 +0100 Subject: [PATCH 14/36] Update arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md Removed TODO's Co-authored-by: Marius Storhaug --- arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 5ece8fc644..810cc7d97e 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -33,10 +33,6 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Public Network Access for Premium Sku. | -### Parameter Usage: `` - -// TODO: Fill in Parameter usage - ## Outputs | Output Name | Type | Description | From 1422c0a3939fe34e42092b74b696fb007e41e1cb Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Mon, 6 Jun 2022 12:33:38 +0100 Subject: [PATCH 15/36] Update arm/Microsoft.ServiceBus/namespaces/readme.md Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- arm/Microsoft.ServiceBus/namespaces/readme.md | 1 - 1 file changed, 1 deletion(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 261df95e6e..df31895d14 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -320,7 +320,6 @@ userAssignedIdentities: { module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { - } ``` From 286048d6a32b9ea5f20bffbdab5da829f7238e27 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Tue, 7 Jun 2022 20:18:21 +0100 Subject: [PATCH 16/36] Updated default network rule set & param overide --- .../namespaces/.parameters/parameters.json | 8 ++- .../namespaces/deploy.bicep | 14 ++--- arm/Microsoft.ServiceBus/namespaces/readme.md | 52 +++++++++++++++++++ 3 files changed, 66 insertions(+), 8 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index c0b4b8dcd1..0364302535 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -161,7 +161,13 @@ ] }, "allowTrustedServices": { - "value": false + "value": true + }, + "networkingAclConfig": { + "value": { + "publicNetworkAccess": "Disabled", + "allowTrustedServices": true + } } } } diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index bddb30a506..eff4b7930c 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -80,6 +80,9 @@ param privateEndpoints array = [] @description('Optional. Allow trusted Azure services to access a network restricted Service Bus.') param allowTrustedServices bool = true +@description('Optional. Configure networking options for Premium SKU Service Bus.') +param networkAclConfig object = {} + @description('Optional. Tags of the resource.') param tags object = {} @@ -144,13 +147,10 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var networkAcl = !empty(privateEndpoints) ? { - publicNetworkAccess: 'Enabled' - allowTrustedServices: allowTrustedServices -} : { - publicNetworkAccess: 'Disabled' +var networkAcl = !empty(networkAclConfig) ? { + publicNetworkAccess: !empty(privateEndpoints) ? 'Disabled' : 'Enabled' allowTrustedServices: allowTrustedServices -} +} : networkAclConfig var enableChildTelemetry = false @@ -211,7 +211,7 @@ module serviceBusNamespace_virtualNetworkRules 'virtualNetworkRules/deploy.bicep } }] -module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (skuName == 'Premium') { +module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (skuName == 'Premium' || !empty(networkAclConfig)) { name: '${uniqueString(deployment().name, location)}-networkRuleSet' params: { namespaceName: serviceBusNamespace.name diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index df31895d14..1bbff8a245 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -57,6 +57,7 @@ This module deploys a service bus namespace resource. | `lock` | string | `'NotSpecified'` | `[CanNotDelete, NotSpecified, ReadOnly]` | Specify the type of lock. | | `migrationConfigurations` | _[migrationConfigurations](migrationConfigurations/readme.md)_ object | `{object}` | | The migration configuration. | | `name` | string | `''` | | Name of the Service Bus Namespace. If no name is provided, then unique name will be created. | +| `networkAclConfig` | object | `{object}` | | Configure networking options for Premium SKU Service Bus. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -209,6 +210,42 @@ privateEndpoints: [

+### Parameter Usage: `networkAcl` + +Configure networing options on premium SKU only. + +

+ +Parameter JSON format + +```json +"networkingAclConfig": { + "value" : { + "publicNetworkAccess": "Disabled", + "allowTrustedServices": true + } +} + + +``` + +
+ +
+ +Bicep format + +```bicep +networkingAclConfig: { + publicNetworkAccess: "Enabled" + allowTrustedServices: true +} + +``` + +
+

+ ### Parameter Usage: `tags` Tag names and tag values can be provided as needed. A tag can be left without a value. @@ -320,6 +357,7 @@ userAssignedIdentities: { module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { + } ``` @@ -494,6 +532,15 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "service": "namespace" } ] + }, + "allowTrustedServices": { + "value": true + }, + "networkingAclConfig": { + "value": { + "publicNetworkAccess": "Disabled", + "allowTrustedServices": true + } } } } @@ -630,6 +677,11 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { service: 'namespace' } ] + allowTrustedServices: true + networkingAclConfig: { + publicNetworkAccess: 'Disabled' + allowTrustedServices: true + } } ``` From 2d608262e7feca48aff52f37c8811413e923efa5 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Tue, 7 Jun 2022 20:20:24 +0100 Subject: [PATCH 17/36] Updated vars for test --- global.variables.yml | 4 ++-- settings.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/global.variables.yml b/global.variables.yml index 7fed8d13f9..e75632c0ca 100644 --- a/global.variables.yml +++ b/global.variables.yml @@ -14,7 +14,7 @@ variables: # Publish: Template-Spec settings ###################################### - templateSpecsDoPublish: true # Set to true, if you would like to publish module templates as template specs + templateSpecsDoPublish: false # Set to true, if you would like to publish module templates as template specs templateSpecsRGName: 'artifacts-rg' # The name of the resource group to publish to. If the resource group does not exist, it will be created. templateSpecsRGLocation: 'West Europe' # The location of the resource group to publish to templateSpecsDescription: components # The description to add to template specs published by this platform @@ -23,7 +23,7 @@ variables: # Publish: Private Bicep Registry settings ###################################### - bicepRegistryDoPublish: true # Set to true, if you would like to publish module templates to a bicep registry + bicepRegistryDoPublish: false # Set to true, if you would like to publish module templates to a bicep registry bicepRegistryName: adpsxxazacrx001 # The name of the bicep registry (ACR) to publish to. If it does not exist, it will be created. bicepRegistryRGName: 'artifacts-rg' # The resource group that hosts the private bicep registry (ACR) bicepRegistryRgLocation: 'West Europe' # The location of the resource group to publish to diff --git a/settings.json b/settings.json index 9198a0f7d0..2e91ecb1d0 100644 --- a/settings.json +++ b/settings.json @@ -5,7 +5,7 @@ "localTokens": [ { "name": "namePrefix", - "value": "carml", + "value": "csrml", "metadata": { "description": "A 3-5 character length string, included in the resources names" } From 7fc4965d177e6f9f4a4b590b47cd9d94b5847960 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Tue, 7 Jun 2022 20:38:14 +0100 Subject: [PATCH 18/36] updated param name --- .../namespaces/.parameters/parameters.json | 2 +- .../namespaces/networkRuleSets/readme.md | 1 + arm/Microsoft.ServiceBus/namespaces/readme.md | 6 +++--- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index d181b6e730..5f0f97eee2 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -166,7 +166,7 @@ "allowTrustedServices": { "value": true }, - "networkingAclConfig": { + "networkAclConfig": { "value": { "publicNetworkAccess": "Disabled", "allowTrustedServices": true diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 810cc7d97e..64e642ae2f 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -33,6 +33,7 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Public Network Access for Premium Sku. | + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 89ec1dc528..81de191db6 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -219,7 +219,7 @@ Configure networing options on premium SKU only.

Parameter JSON format ```json -"networkingAclConfig": { +"networkAclConfig": { "value" : { "publicNetworkAccess": "Disabled", "allowTrustedServices": true @@ -539,7 +539,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "allowTrustedServices": { "value": true }, - "networkingAclConfig": { + "networkAclConfig": { "value": { "publicNetworkAccess": "Disabled", "allowTrustedServices": true @@ -682,7 +682,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { } ] allowTrustedServices: true - networkingAclConfig: { + networkAclConfig: { publicNetworkAccess: 'Disabled' allowTrustedServices: true } From 099d86e69f0b2bb6d38a03dc5f7ecd728ee16bc2 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Tue, 7 Jun 2022 20:41:53 +0100 Subject: [PATCH 19/36] Updated params to match networkAclConfig param --- .../namespaces/.parameters/parameters.json | 2 +- .../namespaces/networkRuleSets/readme.md | 1 + arm/Microsoft.ServiceBus/namespaces/readme.md | 6 +++--- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index 0364302535..db74eb919e 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -163,7 +163,7 @@ "allowTrustedServices": { "value": true }, - "networkingAclConfig": { + "networkAclConfig": { "value": { "publicNetworkAccess": "Disabled", "allowTrustedServices": true diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 810cc7d97e..64e642ae2f 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -33,6 +33,7 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Public Network Access for Premium Sku. | + ## Outputs | Output Name | Type | Description | diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 1bbff8a245..b9f9c0f03d 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -219,7 +219,7 @@ Configure networing options on premium SKU only. Parameter JSON format ```json -"networkingAclConfig": { +"networkAclConfig": { "value" : { "publicNetworkAccess": "Disabled", "allowTrustedServices": true @@ -536,7 +536,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "allowTrustedServices": { "value": true }, - "networkingAclConfig": { + "networkAclConfig": { "value": { "publicNetworkAccess": "Disabled", "allowTrustedServices": true @@ -678,7 +678,7 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { } ] allowTrustedServices: true - networkingAclConfig: { + networkAclConfig: { publicNetworkAccess: 'Disabled' allowTrustedServices: true } From cb247884277e20bd9b52366d0e0797c1ddc601e2 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Thu, 9 Jun 2022 14:04:59 +0100 Subject: [PATCH 20/36] Set secure defaults & overide --- .../namespaces/.parameters/parameters.json | 7 +++-- .../namespaces/deploy.bicep | 29 +++++++++++++------ .../namespaces/networkRuleSets/deploy.bicep | 24 +++++++++++++-- .../namespaces/networkRuleSets/readme.md | 7 +++-- arm/Microsoft.ServiceBus/namespaces/readme.md | 17 +++++++---- 5 files changed, 63 insertions(+), 21 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index 5f0f97eee2..fbb7f3b308 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -166,10 +166,13 @@ "allowTrustedServices": { "value": true }, - "networkAclConfig": { + "networkRuleSets": { "value": { + "defaultAction": "Deny", "publicNetworkAccess": "Disabled", - "allowTrustedServices": true + "allowTrustedServices": true, + "virtualNetworkRules": [], + "ipRules": [] } } } diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index ba415dcf38..bf830555e7 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -77,11 +77,19 @@ param roleAssignments array = [] @description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] +@description('Optional. Whether or not public endpoint access is allowed for this account.') +@allowed([ + '' + 'Enabled' + 'Disabled' +]) +param publicNetworkAccess string = '' + @description('Optional. Allow trusted Azure services to access a network restricted Service Bus.') -param allowTrustedServices bool = true +param trustedServiceAccessEnabled bool = true @description('Optional. Configure networking options for Premium SKU Service Bus.') -param networkAclConfig object = {} +param networkRuleSets object = {} @description('Optional. Tags of the resource.') param tags object = {} @@ -147,10 +155,13 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var networkAcl = !empty(networkAclConfig) ? { - publicNetworkAccess: !empty(privateEndpoints) ? 'Disabled' : 'Enabled' - allowTrustedServices: allowTrustedServices -} : networkAclConfig +var networkRuleSets_var = !empty(networkRuleSets) ? networkRuleSets : { + defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : (!empty(privateEndpoints) ? 'Deny' : null) + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) + trustedServiceAccessEnabled: trustedServiceAccessEnabled + virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.virtualNetworkRules : [] : null + ipRules: contains(networkRuleSets, 'ipRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.ipRules : [] : null +} var enableChildTelemetry = false @@ -211,12 +222,12 @@ module serviceBusNamespace_virtualNetworkRules 'virtualNetworkRules/deploy.bicep } }] -module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (skuName == 'Premium' || !empty(networkAclConfig)) { +module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (skuName == 'Premium' || !empty(networkRuleSets)) { name: '${uniqueString(deployment().name, location)}-networkRuleSet' params: { namespaceName: serviceBusNamespace.name - allowTrustedServices: networkAcl.allowTrustedServices - publicNetworkAccess: networkAcl.publicNetworkAccess + trustedServiceAccessEnabled: networkRuleSets_var.trustedServiceAccessEnabled + publicNetworkAccess: networkRuleSets_var.publicNetworkAccess enableDefaultTelemetry: enableDefaultTelemetry } } diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index 4299349c13..5375ab6d4f 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -8,13 +8,28 @@ param name string = 'default' @description('Optional. Public Network Access for Premium Sku.') @allowed([ + '' 'Enabled' 'Disabled' ]) -param publicNetworkAccess string = 'Disabled' +param publicNetworkAccess string = '' + +@description('Optional. Defualt Action for Access to Service Bus.') +@allowed([ + '' + 'Allow' + 'Deny' +]) +param defaultAction string = '' @description('Optional. Trusted Services Bypass for Premium Sku.') -param allowTrustedServices bool = true +param trustedServiceAccessEnabled bool = true + +@description('Optional. A list of Virtual Network Rules to be allowed on the Service Bus. Not required when using the virtualNetworkRules Module.') +param virtualNetworkRules array = [] + +@description('Optional. A list of IP Rules to be allowed on the Service Bus. Not required when using the IpFilterRules Module.') +param ipRules array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true @@ -39,8 +54,11 @@ resource networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11 name: name parent: namespace properties: { + defaultAction: defaultAction publicNetworkAccess: publicNetworkAccess - trustedServiceAccessEnabled: allowTrustedServices + trustedServiceAccessEnabled: trustedServiceAccessEnabled + ipRules: ipRules + virtualNetworkRules: virtualNetworkRules } } diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 64e642ae2f..9e46f8f794 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -29,9 +29,12 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `allowTrustedServices` | bool | `True` | | Trusted Services Bypass for Premium Sku. | +| `defaultAction` | string | `''` | `[, Allow, Deny]` | Defualt Action for Access to Service Bus. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Public Network Access for Premium Sku. | +| `ipRules` | array | `[]` | | A list of IP Rules to be allowed on the Service Bus. Not required when using the IpFilterRules Module. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Public Network Access for Premium Sku. | +| `trustedServiceAccessEnabled` | bool | `True` | | Trusted Services Bypass for Premium Sku. | +| `virtualNetworkRules` | array | `[]` | | A list of Virtual Network Rules to be allowed on the Service Bus. Not required when using the virtualNetworkRules Module. | ## Outputs diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 81de191db6..3406d16bee 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -40,7 +40,6 @@ This module deploys a service bus namespace resource. **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `allowTrustedServices` | bool | `True` | | Allow trusted Azure services to access a network restricted Service Bus. | | `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Service Bus namespace. | | `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | | `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | @@ -57,13 +56,15 @@ This module deploys a service bus namespace resource. | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `migrationConfigurations` | _[migrationConfigurations](migrationConfigurations/readme.md)_ object | `{object}` | | The migration configuration. | | `name` | string | `''` | | Name of the Service Bus Namespace. If no name is provided, then unique name will be created. | -| `networkAclConfig` | object | `{object}` | | Configure networking options for Premium SKU Service Bus. | +| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Configure networking options for Premium SKU Service Bus. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public endpoint access is allowed for this account. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | | `topics` | _[topics](topics/readme.md)_ array | `[]` | | The topics to create in the service bus namespace. | +| `trustedServiceAccessEnabled` | bool | `True` | | Allow trusted Azure services to access a network restricted Service Bus. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | | `virtualNetworkRules` | _[virtualNetworkRules](virtualNetworkRules/readme.md)_ array | `[]` | | vNet Rules SubnetIds for the Service Bus namespace. | | `zoneRedundant` | bool | `False` | | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | @@ -539,10 +540,13 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "allowTrustedServices": { "value": true }, - "networkAclConfig": { + "networkRuleSets": { "value": { + "defaultAction": "Deny", "publicNetworkAccess": "Disabled", - "allowTrustedServices": true + "allowTrustedServices": true, + "virtualNetworkRules": [], + "ipRules": [] } } } @@ -682,9 +686,12 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { } ] allowTrustedServices: true - networkAclConfig: { + networkRuleSets: { + defaultAction: 'Deny' publicNetworkAccess: 'Disabled' allowTrustedServices: true + virtualNetworkRules: [] + ipRules: [] } } ``` From 3664e8681e46538d76dcc5a94ade207ba5d4ddcb Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Thu, 9 Jun 2022 14:14:32 +0100 Subject: [PATCH 21/36] updated param trustedServiceAccessEnabled --- arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index fbb7f3b308..08c2d4e578 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -170,7 +170,7 @@ "value": { "defaultAction": "Deny", "publicNetworkAccess": "Disabled", - "allowTrustedServices": true, + "trustedServiceAccessEnabled": true, "virtualNetworkRules": [], "ipRules": [] } From f4a072bdcb7ea7b37c57debedfb88a29de483cae Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Thu, 9 Jun 2022 14:22:43 +0100 Subject: [PATCH 22/36] Fixed broken param trustedServiceAccessEnabled --- arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index 08c2d4e578..8c03b1fcaa 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -163,7 +163,7 @@ } ] }, - "allowTrustedServices": { + "trustedServiceAccessEnabled": { "value": true }, "networkRuleSets": { From 79138e07b1915ab19b916b166ebdc13c68158b45 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Thu, 9 Jun 2022 18:39:20 +0100 Subject: [PATCH 23/36] UPdated deployment files --- .../namespaces/deploy.bicep | 19 +++---------------- .../namespaces/networkRuleSets/deploy.bicep | 14 ++++++++------ 2 files changed, 11 insertions(+), 22 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index bf830555e7..527e8e2bcd 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -77,17 +77,6 @@ param roleAssignments array = [] @description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] -@description('Optional. Whether or not public endpoint access is allowed for this account.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. Allow trusted Azure services to access a network restricted Service Bus.') -param trustedServiceAccessEnabled bool = true - @description('Optional. Configure networking options for Premium SKU Service Bus.') param networkRuleSets object = {} @@ -157,8 +146,8 @@ var identity = identityType != 'None' ? { var networkRuleSets_var = !empty(networkRuleSets) ? networkRuleSets : { defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : (!empty(privateEndpoints) ? 'Deny' : null) - publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) - trustedServiceAccessEnabled: trustedServiceAccessEnabled + publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) ? 'Disabled' : null) + trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.virtualNetworkRules : [] : null ipRules: contains(networkRuleSets, 'ipRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.ipRules : [] : null } @@ -226,9 +215,7 @@ module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (s name: '${uniqueString(deployment().name, location)}-networkRuleSet' params: { namespaceName: serviceBusNamespace.name - trustedServiceAccessEnabled: networkRuleSets_var.trustedServiceAccessEnabled - publicNetworkAccess: networkRuleSets_var.publicNetworkAccess - enableDefaultTelemetry: enableDefaultTelemetry + networkRuleSet: networkRuleSets_var } } diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index 5375ab6d4f..5841fa8a09 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -34,6 +34,8 @@ param ipRules array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +param networkRuleSet object = {} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -50,15 +52,15 @@ resource namespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' existing name: namespaceName } -resource networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' = { +resource serviceBusNamespace_networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' = { name: name parent: namespace properties: { - defaultAction: defaultAction - publicNetworkAccess: publicNetworkAccess - trustedServiceAccessEnabled: trustedServiceAccessEnabled - ipRules: ipRules - virtualNetworkRules: virtualNetworkRules + defaultAction: networkRuleSet.defaultAction + publicNetworkAccess: networkRuleSet.publicNetworkAccess + trustedServiceAccessEnabled: networkRuleSet.trustedServiceAccessEnabled + ipRules: networkRuleSet.ipRules + virtualNetworkRules: networkRuleSet.virtualNetworkRules } } From e41d1288cc8c29a519f93ee083b6a2a3b86f7f2a Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Thu, 9 Jun 2022 19:31:46 +0100 Subject: [PATCH 24/36] Updated for networkRuleSets object param & readme updates --- .../namespaces/deploy.bicep | 2 +- .../namespaces/networkRuleSets/deploy.bicep | 25 ------------------- .../namespaces/networkRuleSets/readme.md | 11 +++----- arm/Microsoft.ServiceBus/namespaces/readme.md | 12 ++++----- 4 files changed, 9 insertions(+), 41 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 527e8e2bcd..f34b23ac3a 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -77,7 +77,7 @@ param roleAssignments array = [] @description('Optional. Configuration Details for private endpoints.') param privateEndpoints array = [] -@description('Optional. Configure networking options for Premium SKU Service Bus.') +@description('Optional. Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules.') param networkRuleSets object = {} @description('Optional. Tags of the resource.') diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index 5841fa8a09..6a747a75c7 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -6,31 +6,6 @@ param namespaceName string @description('Required. The default is the only valid ruleset.') param name string = 'default' -@description('Optional. Public Network Access for Premium Sku.') -@allowed([ - '' - 'Enabled' - 'Disabled' -]) -param publicNetworkAccess string = '' - -@description('Optional. Defualt Action for Access to Service Bus.') -@allowed([ - '' - 'Allow' - 'Deny' -]) -param defaultAction string = '' - -@description('Optional. Trusted Services Bypass for Premium Sku.') -param trustedServiceAccessEnabled bool = true - -@description('Optional. A list of Virtual Network Rules to be allowed on the Service Bus. Not required when using the virtualNetworkRules Module.') -param virtualNetworkRules array = [] - -@description('Optional. A list of IP Rules to be allowed on the Service Bus. Not required when using the IpFilterRules Module.') -param ipRules array = [] - @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 9e46f8f794..4fb561257f 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -27,14 +27,9 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. | **Optional parameters** -| Parameter Name | Type | Default Value | Allowed Values | Description | -| :-- | :-- | :-- | :-- | :-- | -| `defaultAction` | string | `''` | `[, Allow, Deny]` | Defualt Action for Access to Service Bus. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `ipRules` | array | `[]` | | A list of IP Rules to be allowed on the Service Bus. Not required when using the IpFilterRules Module. | -| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Public Network Access for Premium Sku. | -| `trustedServiceAccessEnabled` | bool | `True` | | Trusted Services Bypass for Premium Sku. | -| `virtualNetworkRules` | array | `[]` | | A list of Virtual Network Rules to be allowed on the Service Bus. Not required when using the virtualNetworkRules Module. | +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | ## Outputs diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 3406d16bee..0ae30cb156 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -56,15 +56,13 @@ This module deploys a service bus namespace resource. | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `migrationConfigurations` | _[migrationConfigurations](migrationConfigurations/readme.md)_ object | `{object}` | | The migration configuration. | | `name` | string | `''` | | Name of the Service Bus Namespace. If no name is provided, then unique name will be created. | -| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Configure networking options for Premium SKU Service Bus. | +| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | -| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public endpoint access is allowed for this account. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | | `topics` | _[topics](topics/readme.md)_ array | `[]` | | The topics to create in the service bus namespace. | -| `trustedServiceAccessEnabled` | bool | `True` | | Allow trusted Azure services to access a network restricted Service Bus. | | `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | | `virtualNetworkRules` | _[virtualNetworkRules](virtualNetworkRules/readme.md)_ array | `[]` | | vNet Rules SubnetIds for the Service Bus namespace. | | `zoneRedundant` | bool | `False` | | Enabling this property creates a Premium Service Bus Namespace in regions supported availability zones. | @@ -537,14 +535,14 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { } ] }, - "allowTrustedServices": { + "trustedServiceAccessEnabled": { "value": true }, "networkRuleSets": { "value": { "defaultAction": "Deny", "publicNetworkAccess": "Disabled", - "allowTrustedServices": true, + "trustedServiceAccessEnabled": true, "virtualNetworkRules": [], "ipRules": [] } @@ -685,11 +683,11 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { service: 'namespace' } ] - allowTrustedServices: true + trustedServiceAccessEnabled: true networkRuleSets: { defaultAction: 'Deny' publicNetworkAccess: 'Disabled' - allowTrustedServices: true + trustedServiceAccessEnabled: true virtualNetworkRules: [] ipRules: [] } From 354ac38f93a08fa98bfb0ffa7555ec226aa25678 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Thu, 9 Jun 2022 19:37:22 +0100 Subject: [PATCH 25/36] removed unused param from param file --- .../namespaces/.parameters/parameters.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json index 8c03b1fcaa..29ec09c411 100644 --- a/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json +++ b/arm/Microsoft.ServiceBus/namespaces/.parameters/parameters.json @@ -163,9 +163,6 @@ } ] }, - "trustedServiceAccessEnabled": { - "value": true - }, "networkRuleSets": { "value": { "defaultAction": "Deny", From 67eb8dd04b9be12f1a2ee765057ce38e3590618a Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Thu, 9 Jun 2022 19:41:50 +0100 Subject: [PATCH 26/36] Updated param description --- arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep | 1 + arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md | 1 + 2 files changed, 2 insertions(+) diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index 6a747a75c7..1b64153219 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -9,6 +9,7 @@ param name string = 'default' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +@description('Required. Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules.') param networkRuleSet object = {} resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 4fb561257f..1fba33da94 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -20,6 +20,7 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `name` | string | `'default'` | The default is the only valid ruleset. | +| `networkRuleSet` | object | `{object}` | Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules. | **Conditional parameters** | Parameter Name | Type | Description | From fe20d98dfae6152a01a13d587012eca5c0e4e018 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Fri, 10 Jun 2022 08:39:48 +0100 Subject: [PATCH 27/36] updated readme.md --- arm/Microsoft.ServiceBus/namespaces/readme.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 0ae30cb156..d73023509e 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -535,9 +535,6 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { } ] }, - "trustedServiceAccessEnabled": { - "value": true - }, "networkRuleSets": { "value": { "defaultAction": "Deny", @@ -683,7 +680,6 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { service: 'namespace' } ] - trustedServiceAccessEnabled: true networkRuleSets: { defaultAction: 'Deny' publicNetworkAccess: 'Disabled' From 11e70d176be16b713d8313036fb0a80c8cf9386c Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Tue, 5 Jul 2022 13:00:08 +0100 Subject: [PATCH 28/36] Updated params on child module per request from Erika --- .../namespaces/deploy.bicep | 14 +++----- .../namespaces/networkRuleSets/deploy.bicep | 36 ++++++++++++------- .../namespaces/networkRuleSets/readme.md | 14 ++++---- arm/Microsoft.ServiceBus/namespaces/readme.md | 3 +- 4 files changed, 39 insertions(+), 28 deletions(-) diff --git a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep index 18ade93ff0..636645d573 100644 --- a/arm/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -144,14 +144,6 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var networkRuleSets_var = !empty(networkRuleSets) ? networkRuleSets : { - defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : (!empty(privateEndpoints) ? 'Deny' : null) - publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) ? 'Disabled' : null) - trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true - virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.virtualNetworkRules : [] : null - ipRules: contains(networkRuleSets, 'ipRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.ipRules : [] : null -} - var enableReferencedModulesTelemetry = false resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { @@ -215,7 +207,11 @@ module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (s name: '${uniqueString(deployment().name, location)}-networkRuleSet' params: { namespaceName: serviceBusNamespace.name - networkRuleSet: networkRuleSets_var + defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : (!empty(privateEndpoints) ? 'Deny' : null) + publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) ? 'Disabled' : null) + trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true + virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.virtualNetworkRules : [] : null + ipRules: contains(networkRuleSets, 'ipRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.ipRules : [] : null } } diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index 1b64153219..da87724418 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -9,8 +9,20 @@ param name string = 'default' @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Required. Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules.') -param networkRuleSet object = {} +@description('Required. Configure default action in virtual network rule set.') +param defaultAction string + +@description('Required. Configure Publice Network Access restrictions in virtual network rule set.') +param publicNetworkAccess string + +@description('Required. Configure Trusted Services in virtual network rule set.') +param trustedServiceAccessEnabled bool + +@description('Optional. Configure IpFilter rules in virtual network rule set.') +param ipRules array = [] + +@description('Optional. Configure Virtual Network Rules in virtual network rule set.') +param virtualNetworkRules array = [] resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' @@ -32,19 +44,19 @@ resource serviceBusNamespace_networkRuleSet 'Microsoft.ServiceBus/namespaces/net name: name parent: namespace properties: { - defaultAction: networkRuleSet.defaultAction - publicNetworkAccess: networkRuleSet.publicNetworkAccess - trustedServiceAccessEnabled: networkRuleSet.trustedServiceAccessEnabled - ipRules: networkRuleSet.ipRules - virtualNetworkRules: networkRuleSet.virtualNetworkRules + defaultAction: defaultAction + publicNetworkAccess: publicNetworkAccess + trustedServiceAccessEnabled: trustedServiceAccessEnabled + ipRules: ipRules + virtualNetworkRules: virtualNetworkRules } } -@description('The name of the Network ACL Deployment.') -output name string = networkRuleSet.name +@description('The name of the virtual network rule set deployment.') +output name string = serviceBusNamespace_networkRuleSet.name -@description('The Resource ID of the virtual network rule.') -output resourceId string = networkRuleSet.id +@description('The Resource ID of the virtual network rule set.') +output resourceId string = serviceBusNamespace_networkRuleSet.id -@description('The name of the Resource Group the virtual network rule was created in.') +@description('The name of the Resource Group the virtual network rule set was created in.') output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md index 163b2412b5..b76308eebe 100644 --- a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md @@ -19,8 +19,10 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. **Required parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | +| `defaultAction` | string | | Configure default action in virtual network rule set. | | `name` | string | `'default'` | The default is the only valid ruleset. | -| `networkRuleSet` | object | `{object}` | Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules. | +| `publicNetworkAccess` | string | | Configure Publice Network Access restrictions in virtual network rule set. | +| `trustedServiceAccessEnabled` | bool | | Configure Trusted Services in virtual network rule set. | **Conditional parameters** | Parameter Name | Type | Description | @@ -31,13 +33,13 @@ This module deploys ServiceBus Namespaces NetworkRuleSets. | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). | - - +| `ipRules` | array | `[]` | Configure IpFilter rules in virtual network rule set. | +| `virtualNetworkRules` | array | `[]` | Configure Virtual Network Rules in virtual network rule set. | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the Network ACL Deployment. | -| `resourceGroupName` | string | The name of the Resource Group the virtual network rule was created in. | -| `resourceId` | string | The Resource ID of the virtual network rule. | +| `name` | string | The name of the virtual network rule set deployment. | +| `resourceGroupName` | string | The name of the Resource Group the virtual network rule set was created in. | +| `resourceId` | string | The Resource ID of the virtual network rule set. | diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index 6bf30273d1..d73023509e 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -72,6 +72,7 @@ This module deploys a service bus namespace resource. | :-- | :-- | :-- | :-- | | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a SAS token to access the modules. | + ### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -355,7 +356,7 @@ userAssignedIdentities: { module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { - + } ``` From 1e2c901678d02b815f5c53a516a102ac20225c88 Mon Sep 17 00:00:00 2001 From: Chris Sidebotham Date: Wed, 6 Jul 2022 09:54:25 +0100 Subject: [PATCH 29/36] Moved from ARM to modules due to Breaking change --- .../Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep | 0 .../Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md | 0 .../Microsoft.ServiceBus/namespaces/networkRuleSets/version.json | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename {arm => modules}/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep (100%) rename {arm => modules}/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md (100%) rename {arm => modules}/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json (100%) diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep similarity index 100% rename from arm/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep rename to modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md similarity index 100% rename from arm/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md rename to modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md diff --git a/arm/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json similarity index 100% rename from arm/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json rename to modules/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json From fe623dcc304fe7c74ee78b52cba7db916bad9180 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Wed, 6 Jul 2022 10:08:32 +0100 Subject: [PATCH 30/36] Updated version.json Committed in error merging latest changes from Azure:/main --- modules/Microsoft.AAD/DomainServices/version.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.AAD/DomainServices/version.json b/modules/Microsoft.AAD/DomainServices/version.json index badc0a2285..56f8d9ca40 100644 --- a/modules/Microsoft.AAD/DomainServices/version.json +++ b/modules/Microsoft.AAD/DomainServices/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.5" + "version": "0.4" } From deb53518115b3384c333f200b5ab674eba157fee Mon Sep 17 00:00:00 2001 From: Chris Sidebotham Date: Wed, 6 Jul 2022 11:07:09 +0100 Subject: [PATCH 31/36] Updated friendly resource name --- .../namespaces/networkRuleSets/deploy.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep index da87724418..9c85ef10c5 100644 --- a/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep @@ -40,7 +40,7 @@ resource namespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' existing name: namespaceName } -resource serviceBusNamespace_networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' = { +resource networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' = { name: name parent: namespace properties: { @@ -53,10 +53,10 @@ resource serviceBusNamespace_networkRuleSet 'Microsoft.ServiceBus/namespaces/net } @description('The name of the virtual network rule set deployment.') -output name string = serviceBusNamespace_networkRuleSet.name +output name string = networkRuleSet.name @description('The Resource ID of the virtual network rule set.') -output resourceId string = serviceBusNamespace_networkRuleSet.id +output resourceId string = networkRuleSet.id @description('The name of the Resource Group the virtual network rule set was created in.') output resourceGroupName string = resourceGroup().name From b1b955855ae7b9df9c95c8a5e194f56722e6a7ff Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Wed, 6 Jul 2022 11:36:47 +0100 Subject: [PATCH 32/36] Update condition on nsr deployments Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- modules/Microsoft.ServiceBus/namespaces/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep index 85c04a77c6..937ec34206 100644 --- a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -203,7 +203,7 @@ module serviceBusNamespace_virtualNetworkRules 'virtualNetworkRules/deploy.bicep } }] -module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (skuName == 'Premium' || !empty(networkRuleSets)) { +module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!empty(networkRuleSets)) { name: '${uniqueString(deployment().name, location)}-networkRuleSet' params: { namespaceName: serviceBusNamespace.name From 8a8b24bc58009c4219612fe3bfe7cd373a236aaf Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Wed, 6 Jul 2022 11:37:22 +0100 Subject: [PATCH 33/36] Update params template params set as defaults in code Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../namespaces/.test/parameters.json | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json b/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json index 29ec09c411..50427123b4 100644 --- a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json +++ b/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json @@ -162,15 +162,7 @@ "service": "namespace" } ] - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "publicNetworkAccess": "Disabled", - "trustedServiceAccessEnabled": true, - "virtualNetworkRules": [], - "ipRules": [] - } + } } } } From 2b286cfcabee7e2d2ecab0890648a6f9194c35cc Mon Sep 17 00:00:00 2001 From: Chris Sidebotham Date: Wed, 6 Jul 2022 12:11:07 +0100 Subject: [PATCH 34/36] fixed json formatting --- modules/Microsoft.ServiceBus/namespaces/.test/parameters.json | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json b/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json index 50427123b4..33c0288e8c 100644 --- a/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json +++ b/modules/Microsoft.ServiceBus/namespaces/.test/parameters.json @@ -163,6 +163,5 @@ } ] } - } } } From d7418734c0bb012604ceb0d921f1c5e5769f3e86 Mon Sep 17 00:00:00 2001 From: ChrisSidebotham-MSFT <48600046+ChrisSidebotham@users.noreply.github.com> Date: Wed, 6 Jul 2022 15:45:59 +0100 Subject: [PATCH 35/36] Adding param for reinforced telemetry Co-authored-by: Alexander Sehr --- modules/Microsoft.ServiceBus/namespaces/deploy.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep index 937ec34206..3ba4a7b7b0 100644 --- a/modules/Microsoft.ServiceBus/namespaces/deploy.bicep +++ b/modules/Microsoft.ServiceBus/namespaces/deploy.bicep @@ -212,6 +212,7 @@ module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (! trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.virtualNetworkRules : [] : null ipRules: contains(networkRuleSets, 'ipRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.ipRules : [] : null + enableDefaultTelemetry: enableReferencedModulesTelemetry } } From ed7cf769e63194d7da11336e6f7972f2da368065 Mon Sep 17 00:00:00 2001 From: Chris Sidebotham <48600046+ChrisSidebotham@users.noreply.github.com> Date: Thu, 7 Jul 2022 11:03:42 +0100 Subject: [PATCH 36/36] Updated readme.md file for module --- .../Microsoft.ServiceBus/namespaces/readme.md | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/modules/Microsoft.ServiceBus/namespaces/readme.md b/modules/Microsoft.ServiceBus/namespaces/readme.md index aa2753ed1c..976cd48a94 100644 --- a/modules/Microsoft.ServiceBus/namespaces/readme.md +++ b/modules/Microsoft.ServiceBus/namespaces/readme.md @@ -56,6 +56,7 @@ This module deploys a service bus namespace resource. | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. | | `migrationConfigurations` | _[migrationConfigurations](migrationConfigurations/readme.md)_ object | `{object}` | | The migration configuration. | | `name` | string | `''` | | Name of the Service Bus Namespace. If no name is provided, then unique name will be created. | +| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -234,7 +235,7 @@ Configure networing options on premium SKU only. ```bicep networkingAclConfig: { - publicNetworkAccess: "Enabled" + publicNetworkAccess: "Disabled" allowTrustedServices: true } @@ -532,15 +533,6 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { "service": "namespace" } ] - }, - "networkRuleSets": { - "value": { - "defaultAction": "Deny", - "publicNetworkAccess": "Disabled", - "trustedServiceAccessEnabled": true, - "virtualNetworkRules": [], - "ipRules": [] - } } } } @@ -677,13 +669,6 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { service: 'namespace' } ] - networkRuleSets: { - defaultAction: 'Deny' - publicNetworkAccess: 'Disabled' - trustedServiceAccessEnabled: true - virtualNetworkRules: [] - ipRules: [] - } } } ```