From 411cd064b289ea2d48fb32f1d071bd006437b937 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 4 Jun 2022 09:59:28 +0200 Subject: [PATCH 01/28] Implemented --no-restore for workaround --- arm/.global/global.module.tests.ps1 | 12 +++++------- utilities/tools/Set-ModuleReadMe.ps1 | 2 +- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/arm/.global/global.module.tests.ps1 b/arm/.global/global.module.tests.ps1 index 18944f911c..5b12b3ac17 100644 --- a/arm/.global/global.module.tests.ps1 +++ b/arm/.global/global.module.tests.ps1 @@ -149,7 +149,7 @@ Describe 'Readme tests' -Tag Readme { if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { if (Test-Path (Join-Path $moduleFolderPath 'deploy.bicep')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.bicep' - $templateContent = az bicep build --file $templateFilePath --stdout | ConvertFrom-Json -AsHashtable + $templateContent = az bicep build --file $templateFilePath --stdout --no-restore | ConvertFrom-Json -AsHashtable } elseIf (Test-Path (Join-Path $moduleFolderPath 'deploy.json')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.json' $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable @@ -468,7 +468,7 @@ Describe 'Deployment template tests' -Tag Template { if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { if (Test-Path (Join-Path $moduleFolderPath 'deploy.bicep')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.bicep' - $templateContent = az bicep build --file $templateFilePath --stdout | ConvertFrom-Json -AsHashtable + $templateContent = az bicep build --file $templateFilePath --stdout --no-restore | ConvertFrom-Json -AsHashtable } elseIf (Test-Path (Join-Path $moduleFolderPath 'deploy.json')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.json' $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable @@ -801,10 +801,8 @@ Describe 'Deployment template tests' -Tag Template { $templateParameters = $templateContent.parameters.Keys foreach ($parameter in $templateParameters) { $data = ($templateContent.parameters.$parameter.metadata).description - switch -regex ($data) - { - '^Conditional. .*' - { + switch -regex ($data) { + '^Conditional. .*' { if ($data -notmatch '.*\. Required if .*') { $incorrectParameters += $parameter } @@ -922,7 +920,7 @@ Describe "API version tests [All apiVersions in the template should be 'recent'] if (-not ($convertedTemplates.Keys -contains $moduleFolderPathKey)) { if (Test-Path (Join-Path $moduleFolderPath 'deploy.bicep')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.bicep' - $templateContent = az bicep build --file $templateFilePath --stdout | ConvertFrom-Json -AsHashtable + $templateContent = az bicep build --file $templateFilePath --stdout --no-restore | ConvertFrom-Json -AsHashtable } elseIf (Test-Path (Join-Path $moduleFolderPath 'deploy.json')) { $templateFilePath = Join-Path $moduleFolderPath 'deploy.json' $templateContent = Get-Content $templateFilePath -Raw | ConvertFrom-Json -AsHashtable diff --git a/utilities/tools/Set-ModuleReadMe.ps1 b/utilities/tools/Set-ModuleReadMe.ps1 index df90c119b0..a91b2a501b 100644 --- a/utilities/tools/Set-ModuleReadMe.ps1 +++ b/utilities/tools/Set-ModuleReadMe.ps1 @@ -628,7 +628,7 @@ function Set-ModuleReadMe { if (-not $TemplateFileContent) { if ((Split-Path -Path $TemplateFilePath -Extension) -eq '.bicep') { - $templateFileContent = az bicep build --file $TemplateFilePath --stdout | ConvertFrom-Json -AsHashtable + $templateFileContent = az bicep build --file $TemplateFilePath --stdout --no-restore | ConvertFrom-Json -AsHashtable } else { $templateFileContent = ConvertFrom-Json (Get-Content $TemplateFilePath -Encoding 'utf8' -Raw) -ErrorAction Stop -AsHashtable } From aebb1daf75b935d677ab0b2f9bd8d5202743eed2 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 4 Jun 2022 10:23:01 +0200 Subject: [PATCH 02/28] Regenerated readme --- .../.parameters/encr.parameters.json | 17 ++++++++--------- arm/Microsoft.Compute/virtualMachines/readme.md | 17 +---------------- arm/Microsoft.EventHub/namespaces/readme.md | 1 + arm/Microsoft.KeyVault/vaults/readme.md | 1 + arm/Microsoft.ServiceBus/namespaces/readme.md | 1 + 5 files changed, 12 insertions(+), 25 deletions(-) diff --git a/arm/Microsoft.Automation/automationAccounts/.parameters/encr.parameters.json b/arm/Microsoft.Automation/automationAccounts/.parameters/encr.parameters.json index c396172aaa..9bee988855 100644 --- a/arm/Microsoft.Automation/automationAccounts/.parameters/encr.parameters.json +++ b/arm/Microsoft.Automation/automationAccounts/.parameters/encr.parameters.json @@ -5,22 +5,21 @@ "name": { "value": "<>-wd-aut-encr-001" }, - "encryptionKeySource" : { - "value" : "Microsoft.Keyvault" + "encryptionKeySource": { + "value": "Microsoft.Keyvault" }, "encryptionUserAssignedIdentity": { "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" // this identity needs to be one of the identities defined in userAssignedIdentities section }, - "keyName" : { - "value" : "keyEncryptionKey" + "keyName": { + "value": "keyEncryptionKey" }, - "keyvaultUri" : { - "value" : "https://adp-carml-az-kv-nopr-002.vault.azure.net/" + "keyvaultUri": { + "value": "https://adp-carml-az-kv-nopr-002.vault.azure.net/" }, - "keyVersion" : { - "value" : "9917c14be51d4d93b37218de7d326f60" + "keyVersion": { + "value": "9917c14be51d4d93b37218de7d326f60" }, - "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} diff --git a/arm/Microsoft.Compute/virtualMachines/readme.md b/arm/Microsoft.Compute/virtualMachines/readme.md index 69727052d0..514dd6ca0b 100644 --- a/arm/Microsoft.Compute/virtualMachines/readme.md +++ b/arm/Microsoft.Compute/virtualMachines/readme.md @@ -1739,22 +1739,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { } } adminUsername: 'localAdminUser' - adminPassword: [ - { - Value: { - keyVault: { - id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' - } - secretName: 'adminPassword' - } - MemberType: 8 - IsSettable: true - IsGettable: true - TypeNameOfValue: 'System.Management.Automation.PSCustomObject' - Name: 'reference' - IsInstance: true - } - ] + adminPassword: kv1.getSecret('adminPassword') nicConfigurations: [ { nicSuffix: '-nic-01' diff --git a/arm/Microsoft.EventHub/namespaces/readme.md b/arm/Microsoft.EventHub/namespaces/readme.md index be4e504c71..a78fe18ed9 100644 --- a/arm/Microsoft.EventHub/namespaces/readme.md +++ b/arm/Microsoft.EventHub/namespaces/readme.md @@ -306,6 +306,7 @@ userAssignedIdentities: { module namespaces './Microsoft.EventHub/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { + } ``` diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index 43b4f23147..6ecf79f56b 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -405,6 +405,7 @@ privateEndpoints: [ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { name: '${uniqueString(deployment().name)}-vaults' params: { + } ``` diff --git a/arm/Microsoft.ServiceBus/namespaces/readme.md b/arm/Microsoft.ServiceBus/namespaces/readme.md index ebdb27c5d3..5bdc77443b 100644 --- a/arm/Microsoft.ServiceBus/namespaces/readme.md +++ b/arm/Microsoft.ServiceBus/namespaces/readme.md @@ -318,6 +318,7 @@ userAssignedIdentities: { module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = { name: '${uniqueString(deployment().name)}-namespaces' params: { + } ``` From 317efd6aa3d2d4e2f857e04cf7a2f97b178f35fc Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 4 Jun 2022 22:56:18 +0200 Subject: [PATCH 03/28] Draft for cognitive services cmk --- .../ms.cognitiveservices.accounts.yml | 1 + .../accounts/.parameters/encr.parameters.json | 35 +++++++++++++++++++ .../accounts/deploy.bicep | 33 +++++++++++++++-- 3 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json diff --git a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml index 651f718237..eb4ef24ae6 100644 --- a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml +++ b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml @@ -47,6 +47,7 @@ stages: deploymentBlocks: - path: $(modulePath)/.parameters/parameters.json - path: $(modulePath)/.parameters/speech.parameters.json + - path: $(modulePath)/.parameters/encr.parameters.json - stage: Publishing displayName: Publishing diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json new file mode 100644 index 0000000000..3ce2ff0a6f --- /dev/null +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json @@ -0,0 +1,35 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-cgs-encr-001" + }, + "kind": { + "value": "SpeechServices" + }, + "sku": { + "value": "F0" + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + } + }, + "cMKKeyVaultResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" + }, + "cMKeyName": { + "value": "keyEncryptionKey" + }, + "cMKUserAssignedIdentityResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" + }, + "cMKeyVersion": { + "value": "4570a207ec394a0bbbe4fc9adc663a51" + } + } +} diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index abe3a86d52..ee2ef3215d 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -115,8 +115,17 @@ param apiProperties object = {} @description('Optional. Allow only Azure AD authentication.') param disableLocalAuth bool = false -@description('Optional. Properties to configure encryption.') -param encryption object = {} +@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') +param cMKKeyVaultResourceId string = '' + +@description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') +param cMKeyName string = '' + +@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKeyName\' is not empty.') +param cMKUserAssignedIdentityResourceId string = '' + +@description('Conditional. The version of the customer managed key to reference for encryption. Required if \'cMKeyName\' is not empty.') +param cMKeyVersion string = '' @description('Optional. Resource migration token.') param migrationToken string = '' @@ -198,6 +207,16 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +resource cmkKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split(cMKKeyVaultResourceId, '/')) + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + +resource cmkUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { + name: last(split(cMKUserAssignedIdentityResourceId, '/')) + scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) +} + resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { name: name kind: kind @@ -214,7 +233,15 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { allowedFqdnList: allowedFqdnList apiProperties: apiProperties disableLocalAuth: disableLocalAuth - encryption: !empty(encryption) ? encryption : null + encryption: { + keySource: any(!empty(cMKeyName) ? 'Microsoft.Keyvault' : 'Microsoft.CognitiveServices') + keyVaultProperties: !empty(cMKeyName) ? { + identityClientId: !empty(cMKUserAssignedIdentityResourceId) ? cmkUserAssignedIdentity.properties.principalId : null + keyvaulturi: cmkKeyVault.properties.vaultUri + keyName: cMKeyName + keyversion: cMKeyVersion + } : null + } migrationToken: !empty(migrationToken) ? migrationToken : null restore: restore restrictOutboundNetworkAccess: restrictOutboundNetworkAccess From 258beff7172de6e5cdc77dd6bcf19e539996a4dc Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 5 Jun 2022 15:58:40 +0200 Subject: [PATCH 04/28] Removed CMK implementation as its currently not fully working & Set secure defaults --- .../ms.cognitiveservices.accounts.yml | 1 - .../accounts/.parameters/encr.parameters.json | 35 ------------ .../accounts/.parameters/parameters.json | 2 +- .../.parameters/speech.parameters.json | 2 +- .../accounts/deploy.bicep | 55 +++++-------------- .../accounts/readme.md | 12 ++-- 6 files changed, 21 insertions(+), 86 deletions(-) delete mode 100644 arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json diff --git a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml index eb4ef24ae6..651f718237 100644 --- a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml +++ b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml @@ -47,7 +47,6 @@ stages: deploymentBlocks: - path: $(modulePath)/.parameters/parameters.json - path: $(modulePath)/.parameters/speech.parameters.json - - path: $(modulePath)/.parameters/encr.parameters.json - stage: Publishing displayName: Publishing diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json deleted file mode 100644 index 3ce2ff0a6f..0000000000 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "<>-az-cgs-encr-001" - }, - "kind": { - "value": "SpeechServices" - }, - "sku": { - "value": "F0" - }, - "systemAssignedIdentity": { - "value": true - }, - "userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} - } - }, - "cMKKeyVaultResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-nopr-002" - }, - "cMKeyName": { - "value": "keyEncryptionKey" - }, - "cMKUserAssignedIdentityResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001" - }, - "cMKeyVersion": { - "value": "4570a207ec394a0bbbe4fc9adc663a51" - } - } -} diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json index a7eb9a7d6f..d9b34c08f2 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json @@ -9,7 +9,7 @@ "value": "Face" }, "sku": { - "value": "F0" + "value": "S0" }, "roleAssignments": { "value": [ diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json index 489b409bac..0e5cfb726c 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json @@ -9,7 +9,7 @@ "value": "SpeechServices" }, "sku": { - "value": "F0" + "value": "S0" }, "systemAssignedIdentity": { "value": true diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index ee2ef3215d..88aff26e78 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -73,12 +73,12 @@ param diagnosticEventHubName string = '' @description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set.') param customSubDomainName string = '' -@description('Optional. Whether or not public endpoint access is allowed for this account.') +@description('Optional. Whether or not public endpoint access is allowed for this account. Should be disabled for security reasons.') @allowed([ 'Enabled' 'Disabled' ]) -param publicNetworkAccess string = 'Enabled' +param publicNetworkAccess string = 'Disabled' @description('Optional. Service endpoint object information.') param networkAcls object = {} @@ -112,20 +112,8 @@ param allowedFqdnList array = [] @description('Optional. The API properties for special APIs.') param apiProperties object = {} -@description('Optional. Allow only Azure AD authentication.') -param disableLocalAuth bool = false - -@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.') -param cMKKeyVaultResourceId string = '' - -@description('Optional. The name of the customer managed key to use for encryption. Cannot be deployed together with the parameter \'systemAssignedIdentity\' enabled.') -param cMKeyName string = '' - -@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKeyName\' is not empty.') -param cMKUserAssignedIdentityResourceId string = '' - -@description('Conditional. The version of the customer managed key to reference for encryption. Required if \'cMKeyName\' is not empty.') -param cMKeyVersion string = '' +@description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.') +param disableLocalAuth bool = true @description('Optional. Resource migration token.') param migrationToken string = '' @@ -142,6 +130,9 @@ param userOwnedStorage array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true +@description('Optional. Properties to configure encryption.') +param encryption object = {} + @description('Optional. The name of logs that will be streamed.') @allowed([ 'Audit' @@ -189,12 +180,6 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null -var networkAcls_var = { - defaultAction: !empty(networkAcls) ? networkAcls.defaultAction : null - virtualNetworkRules: !empty(networkAcls) ? ((length(networkAcls.virtualNetworkRules) == 0) ? [] : networkAcls.virtualNetworkRules) : null - ipRules: !empty(networkAcls) ? ((length(networkAcls.ipRules) == 0) ? [] : networkAcls.ipRules) : null -} - resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -207,16 +192,6 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource cmkKeyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (!empty(cMKKeyVaultResourceId)) { - name: last(split(cMKKeyVaultResourceId, '/')) - scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) -} - -resource cmkUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (!empty(cMKUserAssignedIdentityResourceId)) { - name: last(split(cMKUserAssignedIdentityResourceId, '/')) - scope: resourceGroup(split(cMKUserAssignedIdentityResourceId, '/')[2], split(cMKUserAssignedIdentityResourceId, '/')[4]) -} - resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { name: name kind: kind @@ -228,20 +203,16 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { } properties: { customSubDomainName: !empty(customSubDomainName) ? customSubDomainName : null - networkAcls: !empty(networkAcls) ? networkAcls_var : null + networkAcls: !empty(networkAcls) ? { + defaultAction: contains(networkAcls, 'defaultAction') ? networkAcls.defaultAction : 'Deny' + virtualNetworkRules: contains(networkAcls, 'virtualNetworkRules') ? networkAcls.virtualNetworkRules : [] + ipRules: contains(networkAcls, 'ipRules') ? networkAcls.ipRules : [] + } : null publicNetworkAccess: publicNetworkAccess allowedFqdnList: allowedFqdnList apiProperties: apiProperties disableLocalAuth: disableLocalAuth - encryption: { - keySource: any(!empty(cMKeyName) ? 'Microsoft.Keyvault' : 'Microsoft.CognitiveServices') - keyVaultProperties: !empty(cMKeyName) ? { - identityClientId: !empty(cMKUserAssignedIdentityResourceId) ? cmkUserAssignedIdentity.properties.principalId : null - keyvaulturi: cmkKeyVault.properties.vaultUri - keyName: cMKeyName - keyversion: cMKeyVersion - } : null - } + encryption: encryption migrationToken: !empty(migrationToken) ? migrationToken : null restore: restore restrictOutboundNetworkAccess: restrictOutboundNetworkAccess diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index e2ec279c51..229da297b4 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -47,7 +47,7 @@ This module deploys different kinds of cognitive services resources | `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. | | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disableLocalAuth` | bool | `False` | | Allow only Azure AD authentication. | +| `disableLocalAuth` | bool | `True` | | Allow only Azure AD authentication. Should be enabled for security reasons. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `encryption` | object | `{object}` | | Properties to configure encryption. | | `location` | string | `[resourceGroup().location]` | | Location for all Resources. | @@ -55,7 +55,7 @@ This module deploys different kinds of cognitive services resources | `migrationToken` | string | `''` | | Resource migration token. | | `networkAcls` | object | `{object}` | | Service endpoint object information. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | -| `publicNetworkAccess` | string | `'Enabled'` | `[Enabled, Disabled]` | Whether or not public endpoint access is allowed for this account. | +| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether or not public endpoint access is allowed for this account. Should be disabled for security reasons. | | `restore` | bool | `False` | | Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. | | `restrictOutboundNetworkAccess` | bool | `True` | | Restrict outbound network access. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | @@ -370,7 +370,7 @@ userAssignedIdentities: { "value": "Face" }, "sku": { - "value": "F0" + "value": "S0" }, "roleAssignments": { "value": [ @@ -422,7 +422,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { params: { name: '<>-az-cgs-x-001' kind: 'Face' - sku: 'F0' + sku: 'S0' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' @@ -464,7 +464,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { "value": "SpeechServices" }, "sku": { - "value": "F0" + "value": "S0" }, "systemAssignedIdentity": { "value": true @@ -502,7 +502,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { params: { name: '<>-az-cgs-speech-001' kind: 'SpeechServices' - sku: 'F0' + sku: 'S0' systemAssignedIdentity: true userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} From 06cd4f8ffa8c493f224668da295a68356e8d6dd5 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 5 Jun 2022 16:34:05 +0200 Subject: [PATCH 05/28] Added encryption test --- .../ms.cognitiveservices.accounts.yml | 1 + .../accounts/.parameters/encr.parameters.json | 31 ++++++++ .../accounts/deploy.bicep | 2 +- .../accounts/readme.md | 76 ++++++++++++++++++- 4 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json diff --git a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml index 651f718237..eb4ef24ae6 100644 --- a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml +++ b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml @@ -47,6 +47,7 @@ stages: deploymentBlocks: - path: $(modulePath)/.parameters/parameters.json - path: $(modulePath)/.parameters/speech.parameters.json + - path: $(modulePath)/.parameters/encr.parameters.json - stage: Publishing displayName: Publishing diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json new file mode 100644 index 0000000000..8fcba54134 --- /dev/null +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json @@ -0,0 +1,31 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-cgs-encr-001" + }, + "kind": { + "value": "SpeechServices" + }, + "sku": { + "value": "S0" + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + } + }, + "encryption": { + "value": { + "keySource": "Microsoft.Keyvault", + "keyVaultProperties": { + "identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity + "keyvaulturi": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", + "keyName": "keyEncryptionKey", + "keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // ID must be updated for new keys + } + } + } + } +} diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index 88aff26e78..da164aef4f 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -86,7 +86,7 @@ param networkAcls object = {} @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false -@description('Optional. The ID(s) to assign to the resource.') +@description('Conditional. The ID(s) to assign to the resource. Must be set if a user assigned identity is used for encryption.') param userAssignedIdentities object = {} @allowed([ diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 229da297b4..9a68e874c6 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -33,6 +33,7 @@ This module deploys different kinds of cognitive services resources | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' are set. | +| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Must be set if a user assigned identity is used for encryption. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | @@ -62,7 +63,6 @@ This module deploys different kinds of cognitive services resources | `sku` | string | `'S0'` | `[C2, C3, C4, F0, F1, S, S0, S1, S10, S2, S3, S4, S5, S6, S7, S8, S9]` | SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'sku' for your Azure region. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | | `userOwnedStorage` | array | `[]` | | The storage accounts for this resource. | @@ -358,6 +358,78 @@ userAssignedIdentities: { via JSON Parameter file +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-cgs-encr-001" + }, + "kind": { + "value": "SpeechServices" + }, + "sku": { + "value": "S0" + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} + } + }, + "encryption": { + "value": { + "keySource": "Microsoft.Keyvault", + "keyVaultProperties": { + "identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity + "keyvaulturi": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", + "keyName": "keyEncryptionKey", + "keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // ID must be updated for new keys + } + } + } + } +} + +``` + + + +
+ +via Bicep module + +```bicep +module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-accounts' + params: { + name: '<>-az-cgs-encr-001' + kind: 'SpeechServices' + sku: 'S0' + userAssignedIdentities: { + '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} + } + encryption: { + keySource: 'Microsoft.Keyvault' + keyVaultProperties: { + identityClientId: 'c907a696-36f4-49fe-b926-39e3aabba814' + keyvaulturi: 'https://adp-<>-az-kv-nopr-002.vault.azure.net/' + keyName: 'keyEncryptionKey' + keyversion: '4570a207ec394a0bbbe4fc9adc663a51' + } + } + } +``` + +
+

+ +

Example 2

+ +
+ +via JSON Parameter file + ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", @@ -446,7 +518,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = {

-

Example 2

+

Example 3

From 7666d27d1ae4124b7dd266c369fc7835b214dc43 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 5 Jun 2022 17:57:15 +0200 Subject: [PATCH 06/28] Added docs --- .../accounts/.parameters/encr.parameters.json | 4 +- .../accounts/deploy.bicep | 4 +- .../accounts/readme.md | 60 +++++++++++++++++-- 3 files changed, 60 insertions(+), 8 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json index 8fcba54134..4bfdf94938 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json @@ -21,9 +21,9 @@ "keySource": "Microsoft.Keyvault", "keyVaultProperties": { "identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity - "keyvaulturi": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", + "keyVaultUri": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", "keyName": "keyEncryptionKey", - "keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // ID must be updated for new keys + "keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // Version must be updated for new keys } } } diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index da164aef4f..790bb6515a 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -1,7 +1,7 @@ @description('Required. The name of Cognitive Services account.') param name string -@description('Required. Kind of the Cognitive Services. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'sku\' for your Azure region.') +@description('Required. Kind of the Cognitive Services. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'SKU\' for your Azure region.') @allowed([ 'AnomalyDetector' 'Bing.Autosuggest.v7' @@ -28,7 +28,7 @@ param name string ]) param kind string -@description('Optional. SKU of the Cognitive Services resource. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'sku\' for your Azure region.') +@description('Optional. SKU of the Cognitive Services resource. Use \'Get-AzCognitiveServicesAccountSku\' to determine a valid combinations of \'kind\' and \'SKU\' for your Azure region.') @allowed([ 'C2' 'C3' diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 9a68e874c6..4c39f865eb 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -26,7 +26,7 @@ This module deploys different kinds of cognitive services resources **Required parameters** | Parameter Name | Type | Allowed Values | Description | | :-- | :-- | :-- | :-- | -| `kind` | string | `[AnomalyDetector, Bing.Autosuggest.v7, Bing.CustomSearch, Bing.EntitySearch, Bing.Search.v7, Bing.SpellCheck.v7, CognitiveServices, ComputerVision, ContentModerator, CustomVision.Prediction, CustomVision.Training, Face, FormRecognizer, ImmersiveReader, Internal.AllInOne, LUIS, LUIS.Authoring, Personalizer, QnAMaker, SpeechServices, TextAnalytics, TextTranslation]` | Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'sku' for your Azure region. | +| `kind` | string | `[AnomalyDetector, Bing.Autosuggest.v7, Bing.CustomSearch, Bing.EntitySearch, Bing.Search.v7, Bing.SpellCheck.v7, CognitiveServices, ComputerVision, ContentModerator, CustomVision.Prediction, CustomVision.Training, Face, FormRecognizer, ImmersiveReader, Internal.AllInOne, LUIS, LUIS.Authoring, Personalizer, QnAMaker, SpeechServices, TextAnalytics, TextTranslation]` | Kind of the Cognitive Services. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. | | `name` | string | | The name of Cognitive Services account. | **Conditional parameters** @@ -60,7 +60,7 @@ This module deploys different kinds of cognitive services resources | `restore` | bool | `False` | | Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. | | `restrictOutboundNetworkAccess` | bool | `True` | | Restrict outbound network access. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sku` | string | `'S0'` | `[C2, C3, C4, F0, F1, S, S0, S1, S10, S2, S3, S4, S5, S6, S7, S8, S9]` | SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'sku' for your Azure region. | +| `sku` | string | `'S0'` | `[C2, C3, C4, F0, F1, S, S0, S1, S10, S2, S3, S4, S5, S6, S7, S8, S9]` | SKU of the Cognitive Services resource. Use 'Get-AzCognitiveServicesAccountSku' to determine a valid combinations of 'kind' and 'SKU' for your Azure region. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the resource. | | `userOwnedStorage` | array | `[]` | | The storage accounts for this resource. | @@ -143,6 +143,58 @@ privateEndpoints: [

+### Parameter Usage: `encryption` + +

+ +Parameter JSON format + +```json +// With customer-managed key +"encryption": { + "value": { + "keySource": "Microsoft.KeyVault", + "keyVaultProperties": { + "identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity + "keyVaultUri": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", + "keyName": "keyEncryptionKey", + "keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // ID must be updated for new keys + } + } +} +// With service-managed key +"encryption": { + "value": { + "keySource": "Microsoft.CognitiveServices" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +// With customer managed key +encryption: { + keySource: 'Microsoft.KeyVault' + keyVaultProperties: { + identityClientId: 'c907a696-36f4-49fe-b926-39e3aabba814' // ID must be updated for new identity + keyVaultUri: 'https://adp-<>-az-kv-nopr-002.vault.azure.net/' + keyName: 'keyEncryptionKey' + keyversion: '4570a207ec394a0bbbe4fc9adc663a51' // Version must be updated for new keys + } +} +// With service-managed key +encryption: { + keySource: 'Microsoft.CognitiveServices' +} +``` + +
+

### Parameter Usage: `roleAssignments` Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. @@ -347,7 +399,7 @@ userAssignedIdentities: { ## Considerations -- Not all combinations of parameters `kind` and `sku` are valid and they may vary in different Azure Regions. Please use PowerShell CmdLet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. +- Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell CMDLet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. - Not all kinds of Cognitive Services support virtual networks. Please visit the link below to determine supported services. ## Deployment examples @@ -384,7 +436,7 @@ userAssignedIdentities: { "identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity "keyvaulturi": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", "keyName": "keyEncryptionKey", - "keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // ID must be updated for new keys + "keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // Version must be updated for new keys } } } From e3207e011a24c26c8148311db0c61a18356b7fc2 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 5 Jun 2022 17:58:35 +0200 Subject: [PATCH 07/28] Updated readme --- arm/Microsoft.CognitiveServices/accounts/readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 4c39f865eb..155be75147 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -434,7 +434,7 @@ userAssignedIdentities: { "keySource": "Microsoft.Keyvault", "keyVaultProperties": { "identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity - "keyvaulturi": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", + "keyVaultUri": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", "keyName": "keyEncryptionKey", "keyversion": "4570a207ec394a0bbbe4fc9adc663a51" // Version must be updated for new keys } @@ -465,7 +465,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { keySource: 'Microsoft.Keyvault' keyVaultProperties: { identityClientId: 'c907a696-36f4-49fe-b926-39e3aabba814' - keyvaulturi: 'https://adp-<>-az-kv-nopr-002.vault.azure.net/' + keyVaultUri: 'https://adp-<>-az-kv-nopr-002.vault.azure.net/' keyName: 'keyEncryptionKey' keyversion: '4570a207ec394a0bbbe4fc9adc663a51' } From 4306b8d6337da87f64c4d0c06bd638ec8f08dc96 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 5 Jun 2022 18:04:33 +0200 Subject: [PATCH 08/28] Updated metadata --- arm/Microsoft.CognitiveServices/accounts/deploy.bicep | 2 +- arm/Microsoft.CognitiveServices/accounts/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index 790bb6515a..808ec0dfa1 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -86,7 +86,7 @@ param networkAcls object = {} @description('Optional. Enables system assigned managed identity on the resource.') param systemAssignedIdentity bool = false -@description('Conditional. The ID(s) to assign to the resource. Must be set if a user assigned identity is used for encryption.') +@description('Conditional. The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') param userAssignedIdentities object = {} @allowed([ diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 155be75147..be8e3b4051 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -33,7 +33,7 @@ This module deploys different kinds of cognitive services resources | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' are set. | -| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Must be set if a user assigned identity is used for encryption. | +| `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | From 3ac20812163991cc11a1d16647700e0f2b4093a2 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 5 Jun 2022 19:15:36 +0200 Subject: [PATCH 09/28] Shuffle --- arm/Microsoft.CognitiveServices/accounts/deploy.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index 808ec0dfa1..e6f15058c2 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -115,6 +115,9 @@ param apiProperties object = {} @description('Optional. Allow only Azure AD authentication. Should be enabled for security reasons.') param disableLocalAuth bool = true +@description('Optional. Properties to configure encryption.') +param encryption object = {} + @description('Optional. Resource migration token.') param migrationToken string = '' @@ -130,9 +133,6 @@ param userOwnedStorage array = [] @description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') param enableDefaultTelemetry bool = true -@description('Optional. Properties to configure encryption.') -param encryption object = {} - @description('Optional. The name of logs that will be streamed.') @allowed([ 'Audit' From 111e169fbff15542d0d67ba08633b5577e98ba4b Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 5 Jun 2022 19:16:20 +0200 Subject: [PATCH 10/28] Minor update --- arm/Microsoft.CognitiveServices/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index e6f15058c2..992d363d44 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -212,7 +212,7 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { allowedFqdnList: allowedFqdnList apiProperties: apiProperties disableLocalAuth: disableLocalAuth - encryption: encryption + encryption: !empty(encryption) ? encryption : null migrationToken: !empty(migrationToken) ? migrationToken : null restore: restore restrictOutboundNetworkAccess: restrictOutboundNetworkAccess From 77f75615ec25596a3c789ab010fd3cd1bec26c74 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sun, 5 Jun 2022 19:41:23 +0200 Subject: [PATCH 11/28] Minor update --- .../accounts/.parameters/encr.parameters.json | 2 +- arm/Microsoft.CognitiveServices/accounts/readme.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json index 4bfdf94938..fd419e2e59 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json @@ -18,7 +18,7 @@ }, "encryption": { "value": { - "keySource": "Microsoft.Keyvault", + "keySource": "Microsoft.KeyVault", "keyVaultProperties": { "identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity "keyVaultUri": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index be8e3b4051..9653bf28ce 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -431,7 +431,7 @@ userAssignedIdentities: { }, "encryption": { "value": { - "keySource": "Microsoft.Keyvault", + "keySource": "Microsoft.KeyVault", "keyVaultProperties": { "identityClientId": "c907a696-36f4-49fe-b926-39e3aabba814", // ID must be updated for new identity "keyVaultUri": "https://adp-<>-az-kv-nopr-002.vault.azure.net/", @@ -462,7 +462,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} } encryption: { - keySource: 'Microsoft.Keyvault' + keySource: 'Microsoft.KeyVault' keyVaultProperties: { identityClientId: 'c907a696-36f4-49fe-b926-39e3aabba814' keyVaultUri: 'https://adp-<>-az-kv-nopr-002.vault.azure.net/' From 457773413e99991730c281a01ade3a20761acdd9 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Mon, 6 Jun 2022 13:42:01 +0200 Subject: [PATCH 12/28] Update arm/Microsoft.CognitiveServices/accounts/readme.md Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- arm/Microsoft.CognitiveServices/accounts/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 9653bf28ce..657dda05fa 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -399,7 +399,7 @@ userAssignedIdentities: { ## Considerations -- Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell CMDLet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. +- Not all combinations of parameters `kind` and `SKU` are valid and they may vary in different Azure Regions. Please use PowerShell cmdlet `Get-AzCognitiveServicesAccountSku` or another methods to determine valid values in your region. - Not all kinds of Cognitive Services support virtual networks. Please visit the link below to determine supported services. ## Deployment examples From 32926336dc639197743ffb0ebcda9d56dfb7a2f9 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Tue, 7 Jun 2022 19:59:31 +0200 Subject: [PATCH 13/28] Update arm/Microsoft.CognitiveServices/accounts/deploy.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- arm/Microsoft.CognitiveServices/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index b7c8f12e45..fe555c4574 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -204,7 +204,7 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { properties: { customSubDomainName: !empty(customSubDomainName) ? customSubDomainName : null networkAcls: !empty(networkAcls) ? { - defaultAction: contains(networkAcls, 'defaultAction') ? networkAcls.defaultAction : 'Deny' + defaultAction: contains(networkAcls, 'defaultAction') ? networkAcls.defaultAction : null virtualNetworkRules: contains(networkAcls, 'virtualNetworkRules') ? networkAcls.virtualNetworkRules : [] ipRules: contains(networkAcls, 'ipRules') ? networkAcls.ipRules : [] } : null From e4d8b78950377c2a868d42252ae8f33ae383ff9a Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 7 Jun 2022 19:59:50 +0200 Subject: [PATCH 14/28] Adjusted network access default --- arm/Microsoft.CognitiveServices/accounts/deploy.bicep | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index b7c8f12e45..6d9c774d10 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -75,10 +75,11 @@ param customSubDomainName string = '' @description('Optional. Whether or not public endpoint access is allowed for this account. Should be disabled for security reasons.') @allowed([ + '' 'Enabled' 'Disabled' ]) -param publicNetworkAccess string = 'Disabled' +param publicNetworkAccess string = '' @description('Optional. Service endpoint object information.') param networkAcls object = {} @@ -208,7 +209,7 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { virtualNetworkRules: contains(networkAcls, 'virtualNetworkRules') ? networkAcls.virtualNetworkRules : [] ipRules: contains(networkAcls, 'ipRules') ? networkAcls.ipRules : [] } : null - publicNetworkAccess: publicNetworkAccess + publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) allowedFqdnList: allowedFqdnList apiProperties: apiProperties disableLocalAuth: disableLocalAuth From 4f465c0dbea41ffba3cac1be18bc0213f4d3dca2 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 7 Jun 2022 20:00:50 +0200 Subject: [PATCH 15/28] Update to latest --- arm/Microsoft.CognitiveServices/accounts/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index c9892dbcf4..0fc8d68296 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -73,7 +73,7 @@ param diagnosticEventHubName string = '' @description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set.') param customSubDomainName string = '' -@description('Optional. Whether or not public endpoint access is allowed for this account. Should be disabled for security reasons.') +@description('Optional. Whether or not public endpoint access is allowed for this account.') @allowed([ '' 'Enabled' From 365e182b272c76d373bdae710c3f9619fafdac98 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 7 Jun 2022 20:02:16 +0200 Subject: [PATCH 16/28] Updated readme --- arm/Microsoft.CognitiveServices/accounts/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 31c1aef8b3..d35db7672e 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -56,7 +56,7 @@ This module deploys different kinds of cognitive services resources | `migrationToken` | string | `''` | | Resource migration token. | | `networkAcls` | object | `{object}` | | Service endpoint object information. | | `privateEndpoints` | array | `[]` | | Configuration Details for private endpoints. | -| `publicNetworkAccess` | string | `'Disabled'` | `[Enabled, Disabled]` | Whether or not public endpoint access is allowed for this account. Should be disabled for security reasons. | +| `publicNetworkAccess` | string | `''` | `[, Enabled, Disabled]` | Whether or not public endpoint access is allowed for this account. | | `restore` | bool | `False` | | Restore a soft-deleted cognitive service at deployment time. Will fail if no such soft-deleted resource exists. | | `restrictOutboundNetworkAccess` | bool | `True` | | Restrict outbound network access. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | From cdbd0f5cf735dc1e864535a5133823c1b67f5e82 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 7 Jun 2022 20:15:05 +0200 Subject: [PATCH 17/28] Updated param --- .../accounts/.parameters/encr.parameters.json | 3 +++ arm/Microsoft.CognitiveServices/accounts/readme.md | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json index fd419e2e59..389198f6a3 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json @@ -16,6 +16,9 @@ "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } }, + "publicNetworkAccess ": { + "value": true + }, "encryption": { "value": { "keySource": "Microsoft.KeyVault", diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index d35db7672e..6a49d1d212 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -429,6 +429,9 @@ userAssignedIdentities: { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } }, + "publicNetworkAccess ": { + "value": true + }, "encryption": { "value": { "keySource": "Microsoft.KeyVault", @@ -461,6 +464,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} } + 'publicNetworkAccess ': true encryption: { keySource: 'Microsoft.KeyVault' keyVaultProperties: { From 21c8c837579a35edef5e670d1b17a7a238337406 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 7 Jun 2022 20:25:14 +0200 Subject: [PATCH 18/28] Adjusted default --- .../accounts/.parameters/encr.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json index 389198f6a3..451013984d 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json @@ -17,7 +17,7 @@ } }, "publicNetworkAccess ": { - "value": true + "value": "Enabled" }, "encryption": { "value": { From 3900e872a993f01efc849a4eda14d206ec5ac071 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 7 Jun 2022 20:32:53 +0200 Subject: [PATCH 19/28] Minor fix --- .../accounts/.parameters/encr.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json index 451013984d..082120732a 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/encr.parameters.json @@ -16,7 +16,7 @@ "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } }, - "publicNetworkAccess ": { + "publicNetworkAccess": { "value": "Enabled" }, "encryption": { From f215233f58d8fb38777929228dce60fc5af3498a Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 7 Jun 2022 20:46:22 +0200 Subject: [PATCH 20/28] Updated readme --- arm/Microsoft.CognitiveServices/accounts/readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 6a49d1d212..b12f319378 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -429,8 +429,8 @@ userAssignedIdentities: { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } }, - "publicNetworkAccess ": { - "value": true + "publicNetworkAccess": { + "value": "Enabled" }, "encryption": { "value": { @@ -464,7 +464,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} } - 'publicNetworkAccess ': true + publicNetworkAccess: 'Enabled' encryption: { keySource: 'Microsoft.KeyVault' keyVaultProperties: { From 478c0fb083ecb45367ec5fdd7e733966c4c8bf00 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 9 Jun 2022 15:17:40 +0200 Subject: [PATCH 21/28] Changed network acls + added test case --- .../accounts/.parameters/parameters.json | 6 ++++++ arm/Microsoft.CognitiveServices/accounts/deploy.bicep | 6 +----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json index 447932ea9c..cb3b166205 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json @@ -24,6 +24,12 @@ } ] }, + "networkAcls": { + "value": { + "defaultAction": "deny", + "virtualNetworkRules": [] + } + }, "systemAssignedIdentity": { "value": true }, diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index 0fc8d68296..1f34e37e73 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -204,11 +204,7 @@ resource cognitiveServices 'Microsoft.CognitiveServices/accounts@2021-10-01' = { } properties: { customSubDomainName: !empty(customSubDomainName) ? customSubDomainName : null - networkAcls: !empty(networkAcls) ? { - defaultAction: contains(networkAcls, 'defaultAction') ? networkAcls.defaultAction : null - virtualNetworkRules: contains(networkAcls, 'virtualNetworkRules') ? networkAcls.virtualNetworkRules : [] - ipRules: contains(networkAcls, 'ipRules') ? networkAcls.ipRules : [] - } : null + networkAcls: networkAcls publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) ? 'Disabled' : null) allowedFqdnList: allowedFqdnList apiProperties: apiProperties From d11987373078d1f8a5b5050608e9c0c2d47c24b7 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 9 Jun 2022 15:18:55 +0200 Subject: [PATCH 22/28] Small adjustment --- arm/Microsoft.CognitiveServices/accounts/readme.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index b12f319378..404ea72e64 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -513,6 +513,12 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { } ] }, + "networkAcls": { + "value": { + "defaultAction": "deny", + "virtualNetworkRules": [] + } + }, "systemAssignedIdentity": { "value": true }, @@ -563,6 +569,10 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { ] } ] + networkAcls: { + defaultAction: 'deny' + virtualNetworkRules: [] + } systemAssignedIdentity: true userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} From 98193fb10a5e261897c5fe3f499be8749f84fb3f Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 9 Jun 2022 15:50:51 +0200 Subject: [PATCH 23/28] Updated param & readme --- .../accounts/.parameters/parameters.json | 3 +++ arm/Microsoft.CognitiveServices/accounts/deploy.bicep | 2 +- arm/Microsoft.CognitiveServices/accounts/readme.md | 6 +++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json index cb3b166205..ae7236a929 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json @@ -30,6 +30,9 @@ "virtualNetworkRules": [] } }, + "customSubDomainName": { + "value": "<>domain" + }, "systemAssignedIdentity": { "value": true }, diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index 1f34e37e73..5ded0783b8 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -70,7 +70,7 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set.') +@description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set (including private endpoints).') param customSubDomainName string = '' @description('Optional. Whether or not public endpoint access is allowed for this account.') diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 404ea72e64..e39187dc2f 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -32,7 +32,7 @@ This module deploys different kinds of cognitive services resources **Conditional parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | -| `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' are set. | +| `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' are set (including private endpoints). | | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | **Optional parameters** @@ -519,6 +519,9 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { "virtualNetworkRules": [] } }, + "customSubDomainName": { + "value": "<>domain" + }, "systemAssignedIdentity": { "value": true }, @@ -573,6 +576,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { defaultAction: 'deny' virtualNetworkRules: [] } + customSubDomainName: '<>domain' systemAssignedIdentity: true userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} From 9d5c8f3ab390fbd42fe0ce7bcf5da24b30211097 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 9 Jun 2022 15:58:55 +0200 Subject: [PATCH 24/28] Updated param & readme --- .../accounts/.parameters/parameters.json | 2 +- .../accounts/.parameters/speech.parameters.json | 2 +- arm/Microsoft.CognitiveServices/accounts/readme.md | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json index ae7236a929..e14fa9f176 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json @@ -31,7 +31,7 @@ } }, "customSubDomainName": { - "value": "<>domain" + "value": "<>xdomain" }, "systemAssignedIdentity": { "value": true diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json index 0e5cfb726c..7903268ccd 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/speech.parameters.json @@ -20,7 +20,7 @@ } }, "customSubDomainName": { - "value": "<>domain" + "value": "<>speechdomain" }, "privateEndpoints": { "value": [ diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index e39187dc2f..bc36a800f9 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -520,7 +520,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { } }, "customSubDomainName": { - "value": "<>domain" + "value": "<>xdomain" }, "systemAssignedIdentity": { "value": true @@ -576,7 +576,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { defaultAction: 'deny' virtualNetworkRules: [] } - customSubDomainName: '<>domain' + customSubDomainName: '<>xdomain' systemAssignedIdentity: true userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} @@ -621,7 +621,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { } }, "customSubDomainName": { - "value": "<>domain" + "value": "<>speechdomain" }, "privateEndpoints": { "value": [ @@ -653,7 +653,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { userAssignedIdentities: { '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001': {} } - customSubDomainName: '<>domain' + customSubDomainName: '<>speechdomain' privateEndpoints: [ { subnetResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-005-privateEndpoints' From 61c38f933bfa8b130960a57185f5657aa2f1cc70 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 16 Jun 2022 23:17:04 +0200 Subject: [PATCH 25/28] Added min test --- .../ms.cognitiveservices.accounts.yml | 1 + .../accounts/.parameters/min.parameters.json | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 arm/Microsoft.CognitiveServices/accounts/.parameters/min.parameters.json diff --git a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml index eb4ef24ae6..88d66731a4 100644 --- a/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml +++ b/.azuredevops/modulePipelines/ms.cognitiveservices.accounts.yml @@ -48,6 +48,7 @@ stages: - path: $(modulePath)/.parameters/parameters.json - path: $(modulePath)/.parameters/speech.parameters.json - path: $(modulePath)/.parameters/encr.parameters.json + - path: $(modulePath)/.parameters/min.parameters.json - stage: Publishing displayName: Publishing diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/min.parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/min.parameters.json new file mode 100644 index 0000000000..0f4f624c48 --- /dev/null +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/min.parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-cgs-min-001" + }, + "kind": { + "value": "SpeechServices" + } + } +} From 5db56d71e056054ade326ad7c9cd7309167f3f57 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 16 Jun 2022 23:21:48 +0200 Subject: [PATCH 26/28] Updated minor --- .../accounts/deploy.bicep | 2 +- .../accounts/readme.md | 44 ++++++++++++++++++- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep index 5ded0783b8..6746b8ee93 100644 --- a/arm/Microsoft.CognitiveServices/accounts/deploy.bicep +++ b/arm/Microsoft.CognitiveServices/accounts/deploy.bicep @@ -70,7 +70,7 @@ param diagnosticEventHubAuthorizationRuleId string = '' @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') param diagnosticEventHubName string = '' -@description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' are set (including private endpoints).') +@description('Conditional. Subdomain name used for token-based authentication. Required if \'networkAcls\' or \'privateEndpoints\' are set.') param customSubDomainName string = '' @description('Optional. Whether or not public endpoint access is allowed for this account.') diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index bc36a800f9..8c1e9d2d68 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -32,7 +32,7 @@ This module deploys different kinds of cognitive services resources **Conditional parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | -| `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' are set (including private endpoints). | +| `customSubDomainName` | string | `''` | Subdomain name used for token-based authentication. Required if 'networkAcls' or 'privateEndpoints' are set. | | `userAssignedIdentities` | object | `{object}` | The ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | **Optional parameters** @@ -486,6 +486,46 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = {

via JSON Parameter file +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-cgs-min-001" + }, + "kind": { + "value": "SpeechServices" + } + } +} + +``` + + + +
+ +via Bicep module + +```bicep +module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-accounts' + params: { + name: '<>-az-cgs-min-001' + kind: 'SpeechServices' + } +``` + +
+

+ +

Example 3

+ +
+ +via JSON Parameter file + ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", @@ -592,7 +632,7 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = {

-

Example 3

+

Example 4

From e86ad9e72c73bde2891e871ae15dd8c31d59ba47 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 21 Jun 2022 09:37:49 +0200 Subject: [PATCH 27/28] Added network rule & service endpoint --- .../accounts/.parameters/parameters.json | 7 ++++++- .../virtualNetworks/parameters/parameters.json | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json index e14fa9f176..c12f36aac5 100644 --- a/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json +++ b/arm/Microsoft.CognitiveServices/accounts/.parameters/parameters.json @@ -27,7 +27,12 @@ "networkAcls": { "value": { "defaultAction": "deny", - "virtualNetworkRules": [] + "virtualNetworkRules": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001", + "action": "Allow" + } + ] } }, "customSubDomainName": { diff --git a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json index d455744dc2..89adeb108c 100644 --- a/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Network/virtualNetworks/parameters/parameters.json @@ -32,6 +32,9 @@ }, { "service": "Microsoft.KeyVault" + }, + { + "service": "Microsoft.CognitiveServices" } ] }, From 3fcf9645f9367229efd936edd4b1ce99b0a6148b Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 21 Jun 2022 09:49:36 +0200 Subject: [PATCH 28/28] Updated readme --- arm/Microsoft.CognitiveServices/accounts/readme.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.CognitiveServices/accounts/readme.md b/arm/Microsoft.CognitiveServices/accounts/readme.md index 8c1e9d2d68..d6856965e2 100644 --- a/arm/Microsoft.CognitiveServices/accounts/readme.md +++ b/arm/Microsoft.CognitiveServices/accounts/readme.md @@ -556,7 +556,12 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { "networkAcls": { "value": { "defaultAction": "deny", - "virtualNetworkRules": [] + "virtualNetworkRules": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001", + "action": "Allow" + } + ] } }, "customSubDomainName": { @@ -614,7 +619,12 @@ module accounts './Microsoft.CognitiveServices/accounts/deploy.bicep' = { ] networkAcls: { defaultAction: 'deny' - virtualNetworkRules: [] + virtualNetworkRules: [ + { + id: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001' + action: 'Allow' + } + ] } customSubDomainName: '<>xdomain' systemAssignedIdentity: true