[Modules] Service bus private networking ACL

modules/Microsoft.ServiceBus/namespaces/deploy.bicep

@@ -77,6 +77,9 @@ param roleAssignments array = []
 @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
 param privateEndpoints array = []
 
+@description('Optional. Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules.')
+param networkRuleSets object = {}
+
 @description('Optional. Tags of the resource.')
 param tags object = {}
 
@@ -200,6 +203,19 @@ module serviceBusNamespace_virtualNetworkRules 'virtualNetworkRules/deploy.bicep
   }
 }]
 
+module serviceBusNamespace_networkRuleSet 'networkRuleSets/deploy.bicep' = if (!empty(networkRuleSets)) {
+  name: '${uniqueString(deployment().name, location)}-networkRuleSet'
+  params: {
+    namespaceName: serviceBusNamespace.name
+    defaultAction: contains(networkRuleSets, 'defaultAction') ? networkRuleSets.defaultAction : (!empty(privateEndpoints) ? 'Deny' : null)
+    publicNetworkAccess: contains(networkRuleSets, 'publicNetworkAccess') ? networkRuleSets.publicNetworkAccess : (!empty(privateEndpoints) ? 'Disabled' : null)
+    trustedServiceAccessEnabled: contains(networkRuleSets, 'trustedServiceAccessEnabled') ? networkRuleSets.trustedServiceAccessEnabled : true
+    virtualNetworkRules: contains(networkRuleSets, 'virtualNetworkRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.virtualNetworkRules : [] : null
+    ipRules: contains(networkRuleSets, 'ipRules') ? !empty(networkRuleSets.ipRules) ? networkRuleSets.ipRules : [] : null
+    enableDefaultTelemetry: enableReferencedModulesTelemetry
+  }
+}
+
 module serviceBusNamespace_authorizationRules 'authorizationRules/deploy.bicep' = [for (authorizationRule, index) in authorizationRules: {
   name: '${uniqueString(deployment().name, location)}-AuthorizationRules-${index}'
   params: {

modules/Microsoft.ServiceBus/namespaces/networkRuleSets/deploy.bicep

@@ -0,0 +1,62 @@
+@description('Conditional. The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment.')
+@minLength(6)
+@maxLength(50)
+param namespaceName string
+
+@description('Required. The default is the only valid ruleset.')
+param name string = 'default'
+
+@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
+param enableDefaultTelemetry bool = true
+
+@description('Required. Configure default action in virtual network rule set.')
+param defaultAction string
+
+@description('Required. Configure Publice Network Access restrictions in virtual network rule set.')
+param publicNetworkAccess string
+
+@description('Required. Configure Trusted Services in virtual network rule set.')
+param trustedServiceAccessEnabled bool
+
+@description('Optional. Configure IpFilter rules in virtual network rule set.')
+param ipRules array = []
+
+@description('Optional. Configure Virtual Network Rules in virtual network rule set.')
+param virtualNetworkRules array = []
+
+resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
+  name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+    }
+  }
+}
+
+resource namespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' existing = {
+  name: namespaceName
+}
+
+resource networkRuleSet 'Microsoft.ServiceBus/namespaces/networkRuleSets@2021-11-01' = {
+  name: name
+  parent: namespace
+  properties: {
+    defaultAction: defaultAction
+    publicNetworkAccess: publicNetworkAccess
+    trustedServiceAccessEnabled: trustedServiceAccessEnabled
+    ipRules: ipRules
+    virtualNetworkRules: virtualNetworkRules
+  }
+}
+
+@description('The name of the virtual network rule set deployment.')
+output name string = networkRuleSet.name
+
+@description('The Resource ID of the virtual network rule set.')
+output resourceId string = networkRuleSet.id
+
+@description('The name of the Resource Group the virtual network rule set was created in.')
+output resourceGroupName string = resourceGroup().name

modules/Microsoft.ServiceBus/namespaces/networkRuleSets/readme.md

@@ -0,0 +1,45 @@
+# ServiceBus Namespaces NetworkRuleSets `[Microsoft.ServiceBus/namespaces/networkRuleSets]`
+
+This module deploys ServiceBus Namespaces NetworkRuleSets.
+
+## Navigation
+
+- [Resource Types](#Resource-Types)
+- [Parameters](#Parameters)
+- [Outputs](#Outputs)
+
+## Resource Types
+
+| Resource Type | API Version |
+| :-- | :-- |
+| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-11-01/namespaces/networkRuleSets) |
+
+## Parameters
+
+**Required parameters**
+| Parameter Name | Type | Default Value | Description |
+| :-- | :-- | :-- | :-- |
+| `defaultAction` | string |  | Configure default action in virtual network rule set. |
+| `name` | string | `'default'` | The default is the only valid ruleset. |
+| `publicNetworkAccess` | string |  | Configure Publice Network Access restrictions in virtual network rule set. |
+| `trustedServiceAccessEnabled` | bool |  | Configure Trusted Services in virtual network rule set. |
+
+**Conditional parameters**
+| Parameter Name | Type | Description |
+| :-- | :-- | :-- |
+| `namespaceName` | string | The name of the parent Service Bus Namespace for the Service Bus Network Rule Set. Required if the template is used in a standalone deployment. |
+
+**Optional parameters**
+| Parameter Name | Type | Default Value | Description |
+| :-- | :-- | :-- | :-- |
+| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
+| `ipRules` | array | `[]` | Configure IpFilter rules in virtual network rule set. |
+| `virtualNetworkRules` | array | `[]` | Configure Virtual Network Rules in virtual network rule set. |
+
+## Outputs
+
+| Output Name | Type | Description |
+| :-- | :-- | :-- |
+| `name` | string | The name of the virtual network rule set deployment. |
+| `resourceGroupName` | string | The name of the Resource Group the virtual network rule set was created in. |
+| `resourceId` | string | The Resource ID of the virtual network rule set. |

modules/Microsoft.ServiceBus/namespaces/networkRuleSets/version.json

@@ -0,0 +1,4 @@
+{
+    "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
+    "version": "0.1"
+}

modules/Microsoft.ServiceBus/namespaces/readme.md

@@ -23,6 +23,7 @@ This module deploys a service bus namespace resource.
 | `Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/disasterRecoveryConfigs) |
 | `Microsoft.ServiceBus/namespaces/ipfilterrules` | [2018-01-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2018-01-01-preview/namespaces/ipfilterrules) |
 | `Microsoft.ServiceBus/namespaces/migrationConfigurations` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/migrationConfigurations) |
+| `Microsoft.ServiceBus/namespaces/networkRuleSets` | [2021-11-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-11-01/namespaces/networkRuleSets) |
 | `Microsoft.ServiceBus/namespaces/queues` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/queues) |
 | `Microsoft.ServiceBus/namespaces/queues/authorizationRules` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2017-04-01/namespaces/queues/authorizationRules) |
 | `Microsoft.ServiceBus/namespaces/topics` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/2021-06-01-preview/namespaces/topics) |
@@ -55,6 +56,7 @@ This module deploys a service bus namespace resource.
 | `lock` | string | `''` | `[, CanNotDelete, ReadOnly]` | Specify the type of lock. |
 | `migrationConfigurations` | _[migrationConfigurations](migrationConfigurations/readme.md)_ object | `{object}` |  | The migration configuration. |
 | `name` | string | `''` |  | Name of the Service Bus Namespace. If no name is provided, then unique name will be created. |
+| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` |  | Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules. |
 | `privateEndpoints` | array | `[]` |  | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
 | `queues` | _[queues](queues/readme.md)_ array | `[]` |  | The queues to create in the service bus namespace. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
@@ -70,7 +72,6 @@ This module deploys a service bus namespace resource.
 | :-- | :-- | :-- | :-- |
 | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a SAS token to access the modules. |
 
-
 ### Parameter Usage: `roleAssignments`
 
 Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
@@ -207,6 +208,42 @@ privateEndpoints:  [
 </details>
 <p>
 
+### Parameter Usage: `networkAcl`
+
+Configure networing options on premium SKU only.
+
+<details>
+
+<summary>Parameter JSON format</summary>
+
+```json
+"networkAclConfig": {
+    "value" : {
+        "publicNetworkAccess": "Disabled",
+        "allowTrustedServices": true
+    }
+}
+
+
+```
+
+</details>
+
+<details>
+
+<summary>Bicep format</summary>
+
+```bicep
+networkingAclConfig: {
+    publicNetworkAccess: "Disabled"
+    allowTrustedServices: true
+}
+
+```
+
+</details>
+<p>
+
 ### Parameter Usage: `tags`
 
 Tag names and tag values can be provided as needed. A tag can be left without a value.